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1. Untersuchungsausschuss der 18. Legislaturperiode 
Beweisbeschluss BMI-1 vom 10. April 2014 
70 Aktenordner (5 offen, 31 VS-NfD, 2 VSV, 32 GEHEIM) 





Sehr geehrter Herr Georgii, 


in Teilerfüllung des Beweisbeschlusses BMI-1 übersende ich die in den Anlagen er- 
Sichtlichen Unterlagen des Bundesministeriums des Innern. 


In den übersandten Aktenordnern wurden Schwárzungen mit folgender Begründun- 
gen durchgeführt: 


e Schutz Mitarbeiterinnen und Mitarbeiter deutscher Nachrichtendienste 
e Schutz Grundrechter Dritter | 

e Fehlender Sachzusammenhang zum Untersuchungsauftrag und 

e Kernbereich der Exekutive 


Die einzelnen Begründungen bitte ich den in den Aktenordnern befindlichen Inhalts- 
verzeichnissen und Begründungsbláttern zu entnehmen. | 


Soweit der übersandte Aktenbestand vereinzelt Informationen enthält, die nicht den 
Untersuchungsgegenstand betreffen, erfolgt die Übersendung ohne Anerkennung 
einer Rechtspflicht. 


Bei den entnommenen AND-Dokumenten handelt es sich um Material ausländischer 
Nachrichtendienste, über welches das Bundesministerium des Innern nicht uneinge- 
schränkt verfügen kann. Eine Weitergabe an den Untersuchungsausschuss ohne 
Einverständnis des Herausgebers würde einen Verstoß gegen die bindenden Ge- 
heimschutzabkommen zwischen der Bundesrepublik Deutschland und dem Heraus- 
geberstaat darstellen. 


ZUSTELL- UND LIEFERANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
VERKEHRSANBINDUNG S-Bahnhof Bellevue; U-Bahnhof Turmstraße 


Bushaltestelle Kleiner Tiergarten 





MAT A BMI-1-11e_12.pdf, Blatt 2 


^R | Bundesministerium 
| des Innern 


"577 Die Nichtbeachtung vólkervertraglicher Vereinbarungen kónnte die internationale 
Kooperationsfáhigkeit Deutschlands stark beeintráchtigen und ggf. andere Staaten 
dazu veranlassen, ihrerseits vólkervertragliche Vereinbarungen mit Deutschland in 
Einzelfällen zu ignorieren und damit deutschen Interessen zu schaden. Eine Freiga- 
be zur Vorlage an den Untersuchungsausschuss durch den ausländischen Dienst 
liegt gegenwärtig noch nicht vor. Um den Beweisbeschlüssen zu entsprechen und 
eine Aktenvorlage nicht unnötig zu verzögern, wurden diese Dokumente vorläufig 
entnommen bzw. geschwärzt. 


Ich sehe den Beweisbeschluss BMI-1 als noch nicht vollständig erfüllt an. 


® | Mit freundlichen Grüßen 


Im Auftr 
p 
auer 
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noch Anlage zum Inhaltsverzeichnis 


Berlin, den 


27.08.2014 


Ordner 


O OW | 
VS-Einstufung: 
VS-NUR FÜR DEN DIENSTGEBRAUCH 





BEZ 


DRI-U 













Gewerbebetriebs andererseits gegeneinander abgewogen. Hierbei wurde zum einen 





Der vorliegende Ordner enthált Unkenntlichmachungen von Namen externer 
Dritter. 

Namen von externen Dritten wurden unter dem Gesichtspunkt des 
Persönlichkeitsschutzes unkenntlich gemacht. Im Rahmen einer Einzelfallprüfung 
wurde das Informationsinteresse des Ausschusses mit den Persönlichkeitsrechten des 
Betroffenen abgewogen. Das Bundesministerium des Innern ist dabei zur 
Einschätzung gelangt, dass die Kenntnis des Namens für eine Aufklärung nicht 
erforderlich erscheint und den Persönlichkeitsrechten des Betroffenen im vorliegenden 
Fall daher der Vorzug einzuräumen ist. 

Sollte sich im weiteren Verlauf herausstellen, dass nach Auffassung des Ausschusses 
die Kenntnis des Namens einer Person doch erforderlich erscheint, so wird das 
Bundesministerium des Innern in jedem Einzelfall prüfen, ob eine weitergehende 
Offenlegung möglich erscheint 

Fehlender Bezug zum Untersuchungsauftrag 

Das Dokument weist keinen Bezug zum  Untersuchungsauftrag bzw. zum 


Beweisbeschluss auf und ist daher nicht vorzulegen. 


Namen von Unternehmen 
Die Namen von Unternehmen wurden unkenntlich gemacht. Im Rahmen einer 
Einzelfallprüfung wurden das Informationsinteresse des Ausschusses einerseits und 


das Recht des Unternehmens unter dem Schutz des eingerichteten und ausgeübten 





berücksichtigt, inwieweit der Name des Unternehmens ggf. als relevant für die 


Aufklärungsinteressen des Untersuchungsausschusses erscheint. Zum anderen wurde 





berücksichti 





t, dass die Namensnennun egenüber einer nicht kontrollierbaren 
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Öffentlichkeit den Bestandsschutz des Unternehmens, deren Wettbewerbs- und 
wirtschaftliche Überlebensfähigkeit gefährden könnte. . 

Soweit diese Abwägung zugunsten des Unternehmens ausfiel, wurden im 
Geschäftsbereich des Bundesministeriums des Innern dennoch der erste Buchstabe 
des Unternehmens sowie die Rechtsform ungeschwärzt belassen, um jedenfalls eine 
allgemeine Zuordnung und ggf. spätere Nachfragen zu ermöglichen. Eine Ausnahme 
hiervon erfolgte lediglich in den Fällen, in denen aufgrund der Besonderheiten des 
Einzelfalls eine Zuordnung bereits mit diesen verbleibenden Angaben mit an Sicherheit 
grenzender Wahrscheinlichkeit möglich gewesen wäre. 

Sollte sich im weiteren Verlauf herausstellen, dass aufgrund eines konkreten zum 
gegenwärtigen Zeitpunkt für das Bundesministerium des Innern noch nicht absehbaren 
Informationsinteresses des Ausschusses an dem Namen eines Unternehmens dessen 
Offenlegung gewünscht wird, so wird das Bundesministerium des Innern in jedem 


Einzelfall prüfen, ob eine weitergehende Offenlegung möglich erscheint. 
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Bl. 1-5 


Entnahme wegen fehlenden Bezugs zum 
Untersuchungsgegenstand 
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Dokument 2014/0039178 


Dürig, Markus, Dr. 
_ Immer neue Enthüllungen über NSA-Spähaktivitäten "7 K, iz) 


Die NSA-Uberwachung sorgt weiter weltweit für Überraschungen. In 
Deutschland wächst der Unmut über den amerikanischen Widerstand gegen "X 
ein No-Spy-Abkommen. Die EU-Kommission fordert Reformen. tf Ple 

Washington/Berlin {dpa) - Die massiven Spähaktivitäten des 
US-Geheimdienstes NSA ziehen immer weitere Kreise. In Deutschland 
wird der Ruf nach Konsequenzen lauter. Nach neuen Enthüllungen kann 
die NSA auch auf Rechner zugreifen, die nicht ans Internet 
angeschlossen sind. Voraussetzung sei, dass Funk-Wanzen von Agenten 
oder nichtsahnenden Nutzern installiert werden, berichtete die «New 
York Times» am Mittwoch. Unter anderem wurden das chinesische und 
russische Militär sowie Computer der mexikanischen Polizei und 
dortiger Drogenkartelle infiziert, aber auch Handelsinstitutionen 
innerhalb der EU. 

Eine von US-Präsident Barack Obama eingesetzte Expertengruppe 
verteidigte die massive Sammlung von Telefondaten. Dieses 
NSA-Programm sei wichtig für den Anti-Terror-Kampf und sollte 
fortgesetzt werden, erklärten die Fachleute in einer Senats-Anhörung 
in Washington. 

Obama stellt an diesem Freitag seine Pläne für eine Reform der 
Geheimdienste vor. Er will aber laut «New York Times» nicht alle 
Vorschläge der Experten umsetzen. So wolle er voraussichtlich der NSA 
vorerst weiter erlauben, gesammelte Telefon-Metadaten selbst zu 
speichern. Obama wolle aber die Privatsphäre von Ausländern stärker 
schützen, hieß es. Allerdings mehren sich auch Zweifel, dass Obama 
eine umfassende Reform der Geheimdienste anstrebt. 

Anlass für die Debatte in Deutschland war unter anderem das 
jahrelange Abhören des Handys von Bundeskanzlerin Angela Merkel 
(CDU). Als Konsequenz aus dieser Affäre verhandeln Deutschland und 
die USA derzeit über ein bilaterales Abkommen zur Zusammenarbeit 
ihrer Geheimdienste. 

Die Gespräche über ein solches sogenanntes No-Spy-Abkommen sind 
jedoch ins Stocken geraten. Vertreter der schwarz-roten Koalition wie 
der Opposition kritisierten am Mittwoch im Bundestag den ; 
amerikanischen Widerstand. Trotz der stockenden Verhandlungen will 
die Bundesregierung aber an dem Abkommen festhalten. 

. Auf deutscher Seite wird dieser Widerstand in Washington mit der 
Drohung quittiert, andere Abkommen wie den Austausch von Bankdaten 
zwischen Europa und der USA (Swift) auszusetzen oder die 
Verhandlungen über eine US-europäische Freihandelszone auf Eis zu 

legen. Verfassungsschutzchef Hans-Georg Maaßen sagte am Dienstagabend 
in Berlin zu den Folgen der NSA-Affäre: «Wir haben keine strategische 

und systematische Überwachung unserer Partner vorgenommen.» Es stelle 
sich heute die Frage, «ob das noch zeitgemäß ist oder ob Beehpustiert 
werden muss». 

Die Reparatur des durch die NSA-Affäre belasteten Verhältnisses zu 
den USA dürfte auch zu den wichtigsten Aufgaben des neuen deutschen 
Botschafters in Washington gehören: Peter Wittig, der bisherige 
deutsche Vertreter bei den Vereinten Nationen, wird Nachfolger von 
Peter Ammon. 

Die EU-Kommission forderte vor dem Hintergrund des NSA-Skandals 

1 
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eine Reform des Systems zur Übermittlung personenbezogener Daten. Das 
sogenannte Safe Harbour Abkommen zwischen EU und USA ist im 
EU-Parlament heftig umstritten. EU-Justizkommissarin Viviane Reding 
sagte in Straßburg, das Systern müsse transparenter werden. Außerdem 
sollte der Zugriff in den USA auf diese Daten begrenzt werden. «Ich 
erwarte, dass die US-Behórden sich jetzt an die Arbeit machen und das 
System wirklich verbessern.» 

Über einen Teil der Informationen der «New York Times» - unter 
anderem zum Einbau von Ausspäh-Bauteilen - hatte jüngst der «Spiegel» 
berichtet. Nach den Enthüllungen der «New York Times» wird die 
NSA-Software in den meisten Fállen über Computer-Netzwerke 


installiert. Die Sender könnten entweder in den Computer selbst 
eingebaut werden c oder in USB-Sticks oder Steckern versteckt werden, 


hieß es unter Berufung auf Dokumente und Regierungsbeamte. In anderen 


Fällen werde Überwachungssoftware über das Netz geladen. 


Insgesamt versah die NSA dem Bericht zufolge weltweit knapp 100 ___ 
000 Computer mit ihren Programmen, In China sei so eine Abteilung der 
chinesischen Armee angegriffen worden, die hinter Cyberattacken im 
Westen stehen soll. Der chinesische Telekommunikationsriese Huawei 
wies Berichte über Sicherheitslücken in seinen Produkten zurück. Die 
Finanzchefin des Unternehmens reagierte damit auf einen 
«Spiegel»-Bericht, wonach die NSA Ausrüstung und Smartphones 
verschiedener Hersteller, darunter Huawei, infiltrieren könne. 

Laut Unterlagen aus dem Fundus des Informanten Edward Snowden 
richtete der US-Geheimdienst zwei eigene Rechenzentren in China ein, 
möglicherweise über Tarnfirmen, schrieb die «New York Times». Von 
dort aus kónne Überwachungssoftware in Computer eingeschleust werden. 

Die NSA kann auf verschiedene Welse Informationen aus dem Internet 
abgreifen. Mit Hilfe des britischen Partnerdienstes GCHQ werden 
Datensätze direkt aus Glasfaser-Kabeln abgefischt. Nach dem 
US-Auslandsspionagegesetz kann die NSA Zugang zu Nutzerinformationen . 
bei Internet-Konzernen beantragen. 
dpa rm/ax/so/pkl yydd xx z2'laj 151904 Jan 14 


BND verhandelt mit anderen EU-Geheimdiensten über Spionageabkommen - Medien: 
Verbot auch von Wirtschaftsspionage angestrebt 


BERLIN/, 15. Januar (AFP) - Die Bundesregierung verhandelt 

mit den EU-Partnerländern über ein europäisches Spionageabkommen. 
Nach einem Bericht der «Süddeutschen Zeitung» und des Norddeutschen 
Rundfunks vom Mittwochabend sollen sich die Länder verpflichten, auf 
gegenseitige Spionage zu verzichten. Eine Sprecherin der 
Bundesregierung erklärte auf Anfrage der Nachrichtenagentur AFP, 
Bundeskanzlerin Angela Merkel (CDU) habe im Sommer 2013 unter 
anderem die Vereinbarung gemeinsamer nachrichtendienstlicher 
Standards für die Auslandsnachrichtendienste der EU-Mitgliedstaaten 
angekündigt. 

Der Bundesnachrichtendienst (BND) sei beauftragt worden, einen 
Vorschlag zu erarbeiten und mit den EU-Partnern abzustimmen. 
«Hierbei handelt es sich um einen laufenden Prozess in 
vertrauensvollen Gesprachen», sagte die Sprecherin weiter. 

Nach Informationen von «S2» und NDR wird seit Monaten 
vertraulich in Berlin über ein europäisches sogenanntes 
No-Spy-Abkommen beraten. Inzwischen fanden demnach mindestens drei 
solche Runden statt, die von BND-Vizepräsident Guido Müller geleitet 
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würden. Nach Angaben aus Verhandlungskreisen seien sich die diversen 
Auslandsnachrichtendienste über die Ziele weitgehend einig, hieß es 
weiter. Allerdings wollten verschiedene Länder, vor allem 
Großbritannien, kein förmliches Abkommen. Nun werde geprüft, ob es 
stattdessen eine gemeinsame Erklärung geben solle. 

Das Ziel einer solchen Vereinbarung ist den Medienberichten zufolge 
ein Verbot gegenseitiger politischer und wirtschaftlicher Spionage, 
das es bis heute in der EU nicht gibt. Das angestrebte Abkommen 
würde demnach nur noch Abhörmaßnahmen für zuvor verabredete 
Zwecke erlauben - beispielsweise die Bekämpfung des Terrorismus oder 
der Verbreitung von Massenvernichtungswaffen. Zudern würden sich die 
Dienste der 28 Mitgliedstaaten dazu verpflichten, andere 
Geheimdienste nicht nach den Daten ihrer eigenen Bürger zu fragen, 
wenn dies nicht auch nach dem nationalen Recht zulässig wäre. In der 
Vergangenheit war immer wieder der Verdacht aufgekommen, dass auf 
diesem Weg nationale Schutzbestimmungen für Bürger ausgehebelt 
werden. 

Deutschland und Frankreich hatten im vergangenen Jahr im Zuge 
der Affäre um den US-Geheimdienst NSA angekündigt, bilaterale 
Gespräche mit Washington über Spionageabkommen führen zu wollen. Die 
US-deutschen Verhandlungen kommen jedoch seit Monaten nnt voran. 

eha/cfm AFP 151859 JAN14 - 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innern 
Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: *49 30 18 681 5 1374 
email:markus duerig@bmi.bund.de 
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Dokument 2014/0088649 
Von: Dürig, Markus, Dr. 
Gesendet: Mittwoch, 19. Februar 2014 17:36 
An: ReglT3 
Betreff: WG: NSA und Kryptostandards 
2dA 


Dr. Markus Dürig . 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig()bmi.bund.de 


Von: Strahl, Claudia 

Gesendet: Freitag, 24. Januar 2014 07:51 
An: Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Betreff: WG: NSA und Kryptostandards 


Eingang Postfach IT3 zur Kenntnis bzw. zur weiteren Verwendung 


Strahl 


Von: Vogel, Michael, Dr. 
Gesendet: Donnerstag, 23. Januar 2014 20:27 
An: IT3_ 


Cc: GIL; PGNSA; BSI Feyerbacher, Beatrice; Schallbruch, Martin; vorzimmerpvp@bsi.bund.de 


Betreff: NSA und Kryptostandards 


Liebe Kollegen, 


beiliegenden Kurzbericht zu einem angeblichen Geheimvertrag der NSA mit RSA. 


Beste Grüße 


Michael Vogel 
German Liaison Officerto the 
U.S. Department of Homeland Security 








3801 Nebraska Avenue NW 
Washington, DC 20528 
202-567-1458 (Mobile - DHS) 
202-999-5146 (Mobile - BMI) 
michael.vogel@HQ.DHS.GOV 
michael.vogel@bmi.bund.de 








¥B BMI DHS 
51_krypto_Il.docx 
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Anhang von Dokument 2014-0088649.msg 


1. VB BMI DHS .51 krypto !l.docx 2 Seiten 


11 
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VB BMI DHS | 23.01.2014 


NSA und Krypto-Standards 


Wie bereits am 11.09.2013 berichtet, wird vermutet, dass die NSA für den Ein- 
bau einer Schwachstelle in den NIST-Kryptostandard SP 800-90A gesorgt habe 
(Hintertür in ,Dual EC. DRBG"). 


Berichten der Agentur Reuters zufolge soll die NSA in diesem Zusammenhang 


einen geheimen Vertrag über 10 Mio. $ mit der Fa. RSA abgeschlossen haben. 
Es sei vereinbart worden, dass ,Dual EC. DRBG" der voreingestellte Standard- 
Generator für die BSafe-Software werde. 

RSA bestreitet dies und weist u. a. darauf hin, dass man allen Kunden im Sep- 
tember 2013 geraten habe, diesen Algorithmus nicht mehr zu nutzen. 

Zudem hátten unter BSafe noch andere Algorithmen zur freien Auswahl ge- 
standen. 


Wie bereits am 11.09.2013 berichtet, wird vermutet, dass die NSA für den Einbau 
einer Schwachstelle in den NIST-Kryptostandard SP 800-90A gesorgt habe (Hintertür 
in,Dual EC DRBG^). 


Berichten der Agentur Reuters zufolge soll die NSA in diesem Zusammenhang einen 
geheimen Vertrag über 10 Mio. $ mit der Fa. RSA abgeschlossen haben. Unter Be- 
zugnahme auf Quellen, die mit dem Vertrag vertraut seien, sei vereinbart worden, 
dass ,Dual EC. DRBG* der voreingestellte Standard-Generator für die BSafe- 
Software werde. 

RSA habe den innerhalb der NSA entwickelten "Dual Elliptic Curve"-Algorithmus 
übernommen, noch bevor NIST ihn als Standard anerkannt habe. Dies habe die NSA 
ihrerseits dazu genutzt, für den Algorithmus ggü. NIST zu werben. Die Vertragssum- 
me von 10 Mio. $ habe seinerzeit mehr als ein Drittel des Umsatzes der bei RSA zu- 
stándigen Betriebseinheit ausgemacht und der “RSA-Deal’ sei ein Musterbeispiel für 
den strategischen Ansatz der NSA, derartige Geschäftsbeziehungen mit Privatunter- 
‚nehmen einzugehen, um Kryptostandards "gefügiger" zu machen (s. entspr. Bericht 
zum “Bullrun“-Projekt). 





12 
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RSA bestreitet dies und weist darauf hin, dass die Entscheidung, Dual EC DRBG 

als Standard zu verwenden, bereits 2004 getroffen wurde. Damals habe die NSA den | 
Ruf und das Vertrauen genossen, Kryptostandards zu stárken und nicht aufzuwei- 
chen. Außerdem habe man allen Kunden im September 2013 geraten, diesen Algo- 
rithmus nicht mehr zu nutzen. Zudem hätten unter BSafe noch andere Algorithmen 

zur freien Auswahl gestanden. 


Der Bericht der Agentur Reuters hat offenbar schon zu Boykotten der kommenden 
RSA-Konferenz im Februar 2014 geführt. 


Dr. Vogel 
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Dokument 2014/0059891 
Von: Dürig, Markus, Dr. 
Gesendet: Dienstag, 4. Februar 2014 17:47 
An: Spatschke, Norman; ReglT3 
Cc: Strahl, Claudia 
Betreff: WG: NSA/Provider 


Wie besprochen: 

Bitte Vorlage eines neuen Schreibens von Stn RG an die US-IT-Unternehmen in D (die bereitsim Herbst 
angeschrieben worden waren) zur Nachfrage nach weiteren Infos, die bisher unter Verweis auf US- 
Gesetzgebung verweigert, jetzt aber aufgrund der neuen Freigabevon Holder gegenüber den US- 
Herstellern ggf. gegeben werden kónnen. 

Gruf$ MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 


Von: Dürig, Markus, Dr. 

Gesendet: Dienstag, 4. Februar 2014 17:44 
An: Spatschke, Norman 

Betreff: AW: NSA/Provider 


Ergánzung: Ich habe mit H Schwárzertelefoniert, FF jetzt bei uns, Erstentwurf war durch H Mammen 
erstellt worden; Frau v Mohnsdorff hat an beide St-Büros die Entwürfe der Schreiben und die 
Antwortschreiben übersandt. Ich habe IT 1 zugesagt, dass Sie den Entwurf derneuen Vorlage IT 1 zur Mz 
senden und morgen auf Frau v Mohnsdorff zugehen. 

Gruß MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 


Von: Dürig, Markus, Dr. 

Gesendet: Dienstag, 4. Februar 2014 17:12 
An: Spatschke, Norman 

Betreff: WG: NSA/Provider 
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Lieber Herr Spatschke, 
bitte klären Sie noch heute für mich, an wen Stn RG an Anfang der NSA-Affäre geschrieben hatte und wer 


das vorbereitet hatte (dt Tócher der US-Konzerne ( tc.) sowie dt TK- 
Unternehmen 


Hat IT 3 oder IT 1 die FF gehabt? 
BG MD 





Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 


Von: Rogall-Grothe, Cornelia 

Gesendet: Dienstag, 4. Februar 2014 16:53 
An: Dürig, Markus, Dr. 

Betreff: WG: NSA/Provider . 


Wie besprochen. 


Mit freundlichen Grüßen 
Cornelia Rogall- Grothe 





Staatssekretárin im Bundesministerium des Innern 
Beauftragte der Bundesregierung für Informationstechnik 


Alt-Moabit 101 D, 10559 Berlin 

Telefon: 030 18681-1109 

Fax: 030 18681-1135 

E-Mail: StRG@bmi.bund.de 

Internet: www.bmi.bund.de, www.cio.bund.de, www.it-planungsrat.de 
IT-Gipfel und innovative IT-Angebote des Staates » www.cio.bund.de/aq3 





Von: Haber, Emily, Dr. 
Gesendet: Dienstag, 4. Februar 2014 15:37 
An: Rogall-Grothe, Cornelia 

Betreff: NSA/Provider 


Liebe Fr. Rogall, 
StS Fritsche sprach mich heute auf Ihr Schreiben an die Internet-Provider v. Sommer 2013 in Sachen NSA 
und Datenweitergabe an. 





MAT A BMI-1-11e 12.pdf, Blatt 18 


Da Holder kürzlich die Verschwiegenheitspflichten der Provider (auf die ja einige in den Antworten 
hingewiesen hatten) aufgehoben habe, empfahl er erneutes Schreiben um nachzuhaken. Chef BK 
unterstützte dies. 

Da dies bei Ihnen liegt: Würden Sie dies aufnehmen?. 

Danke, EH : 
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Dokument 2014/0060684 
Von: Spatschke, Norman 
Gesendet: Mittwoch, 5. Februar 2014 12:13 
An: OESI3AG ; IT1 
Cc: Dürig, Markus, ‚Dr.; Schwarzer, Erwin; Weinbrenner, Ulrich; IT3 ; -RegiT3 
Betreff: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 
Wichtigkeit: Hoch 
LK, 


Fr. Stn RG hat nach Abstimmung mit Fr. Stn um Vorlage eines erneuten Schreibens an die US-Provider 
gebeten, mit dem an Beantwortung der Fragen erinnert werden soll, die mitSchreiben vom 11. 6. 2013 
übermitteltwurden. 

StF hatte - mit Unterstützungvon ChefBK- ein derartiges Vorgehen ggü. Fr. Stn H angeregt. Hintergrund 
ist die wohl durch US-Justizminister Holder erfolgte Lockerung der 
Datenfreigabe/Verschwiegenheitspflichten. 


Ich bitte um Mitzeichnung bzw. Ergänzung der anliegenden Vorlagebis heute 15 Uhr. Anschließend 
erlaube ich mir, von Ihrer Mz auszugehen. 





140205 StRG 
"Vorlage erneutes... 


Viele Grüße, 
N.Sp. 
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Anhang von Dokument 2014-0060684.msg 


1. 140205 StRG Vorlage erneutes Anschreiben Provider.doc 
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Seiten 
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1) 





Referat IT 3 

T3- 

Refl: MR Dr. Dürig/MR Dr. Mantz 
Sb: AR Spatschke 


Frau Stn Rogall-Grothe 


Über 


Herm IT-Direktor 
Herrn SV IT-Direktor 
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Berlin, den 5. Februar 2014 
Hausruf: 1374/2308/2045 


\Gruppenablage01\IT3-(AM)\Spats chke\8 Punkte 
Plan\Entwicklungen NSAUSAM 40205 StRG 
Vorlage erneutes Anschreiben Provider.doc 


Abdrucke: 
MB, PStS, StnH, LLS, AL OS, 


Presse 


Referat IT 1 und AG ÓS 13 haben mitgezeichnet. 


Bezug: Ihr Schreiben an involvierte US-Provider vom 11.6.2013 


Betr.: NSA / PRISM 
Anlage: -5- 
1. Votum 


Kenntnisnahme, Billigung und Zeichnung der beigefügten Entwürfe für er- 


neute Schreiben an die US-Provider. 


2. Sachverhalt 


Mit Schreiben vom 11. Juni 2013 hatten Sie die deutschen Niederlassun- 


gen der US-Provider MEN 
EN <ortzkiiert, und mit insgesamt 10 Fragen zur Einbin- 


dung der Unternehmen in das Programm "PRISM" oder vergleichbarer 


Programme der NSA um Aufklärung gebeten. 
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Fünf der angeschriebenen Unternehmen antworteten im Zeitraum vom 13. 
bis 16. Juni 2013. Dabei wurde im Wesentlichen die in den Medien im Zu- 
sammenhang mit dem Programm PRISM dargestellte unmittelbare Zu- 
sammenarbeit der Unternehmen mit US-Behórden dementiert. Die Über- 
mittlung von Daten fände allenfalls im Einzelfall auf Basis der einschlägi- 
gen US-Rechtsgrundlagen auf Grundlage richterlicher Beschlüsse statt. 


Die Unternehmen EB BEBE äußerten sich nicht unter Verweis 
auf die Konzernmütter Gee bzw. EEE ost überhaupt 


nicht. 


e 3. : Stellungnahme 

i Hr. St F hat — mit Unterstützung Chef BK — vor dem Hintergrund, dass US- 
Justizminister Holder kürzlich die Verschwiegenheitspflichten für Provider 
gelockert haben soll, ein erneutes Schreiben an die US-Provider angeregt, 
um hinsichtlich der zum Teil ausweichenden und unter Verweis auf beste- 
hende Verschwiegenheitspflichten erfolgten Antworten nachzuhaken. 


Die Stellungnahme entspricht im Übrigen den beigefügten Entwürfen von 
Schreiben an die US-Internetprovider. Aufgrund der unterschiedlichen 


Antworten sind verschiedene Schreiben zu erstellen. 


Dr. Dürig / Dr. Mantz Spatschke 
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Anlage 1 
Briefkopf Frau Staatssekretärin 


Anschrift | 
Yahoo!, Facebook, Apple | 


- gemäß Verteiler Anlage 2 


Betrifft: Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 


erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 

pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
mit US-Geheimdienstbehörden dementiert Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und 


auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ge- 
fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 
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ropáischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 


ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behörden im Zusammen- 


hang mit dem Programm ,PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
„Special Requests“ an Ihr Unternehmen gerichtet und wenn ja, was 
war deren Gegenstand? | 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behórden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche. weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behórden die Daten zur Verfügung? Auf welche Server wird dabei zu- 


rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
Sicherheitsbehérden?: Verfügen die US-Sicherheitsbehórden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? | 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behörden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus weichen Gründen? 


9. Werden die an die US-Behórden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 
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10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte | 
konkretisieren Sie Art und Umfang der Datenübermittiung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wáre ich Ihnen für deren Mitteilung dankbar. 


Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 2 - 
 Briefkopf Frau Staatssekretärin 


Anschrift 
Microsoft 


Nachrichtlich: 
Skype 


- gemäß Verteiler Anlage 5 - 


Betrifft Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 
erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 

pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
mit US-Geheimdienstbehórden dementiert. Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und 


auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 


Beantwortung meiner Fragen zu erinnem, um die Aufklárung móglicher Ge- 
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fahren für die Persónlichkeits- und Datenschutzrechte der deutschen und eu- 
ropáischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 
ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behórden im Zusammen- 


hang mit dem Programm ,PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
„Special Requests" an Ihr Unternehmen gerichtet und wenn ja, was 
war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzem an die US- 
Behórden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behórden die Daten zur Verfügung? Auf welche Server wird dabei zu- 
rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
Sicherheitsbehórden? Verfügen die US-Sicherheitsbehórden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behórden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fálle, in denen Ihr Untemehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behórden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 
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10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 
konkretisieren Sie Art und Umfang der Datenübermittlung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wáre ich für deren Mitteilung dankbar. 


Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Skype 
einzubeziehen, deren Stellungnahme auf eine entsprechende Verantwortung 
der Konzernmutter Microsoft verwiesen hat. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 3 


Briefkopf Frau Staatssekretärin - 


Anschrift 
Google — 


Nachrichtli ch: 
YouTube 


- gemáf Verteiler Anlage 5 - 


Betrifft Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 
erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 

pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
, mit US-Geheimdienstbehórden dementiert. Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und 


auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 


Beantwortung meiner Fragen zu erinnem, um die Aufklárung móglicher Ge- 


21 








MAT A BMI-1-11e_12.pdf, Blatt 30 
- 10 - 


fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 
ropäischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 
ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behörden im Zusammer- 


hang mit dem Programm ,PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests“ Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
„Special Requests" an Ihr Unternehmen gerichtet und wenn ja, was 


war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behörden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behörden die Daten zur Verfügung? Auf welche Server wird dabei zu- 


 Tückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
Sicherheitsbehörden? Verfügen die US-Sicherheitsbehörden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 


len eingerichtet? 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behórden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behörden übermittelten Daten durch Ihr: Unter- 


nehmen weiter verarbeitet? 
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10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 


konkretisieren Sie Art und Umfang der Datenübermittiung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wäre ich für deren Mitteilung dankbar. ' 


ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Y- 
_ouTube einzubeziehen, deren Stellungnahme auf eine entsprechende Ver- 
antwortung der Konzernmutter Google verwiesen hat. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 4 


Briefkopf Frau Staatssekretärin 


Anschrift 
AOL 


- gemäß Verteiler Anlage 5 - 


Betrifft: Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013, dessen Beantwor- 
tung nach wie vor aussteht. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ge- 
fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 
ropäischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 


ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behörden im Zusammen- 


hang mit dem Programm „PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 
nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests“ Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
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„Special Requests" an Ihr Unternehmen gerichtet und wenn ja, was 


war deren Gegenstand? 


. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behörden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? | 


. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behörden die Daten zur Verfügung? Auf weiche Server wird dabei zu- 
rückgegriffen und wo befinden sich diese? 


. Wie erfolgt die Übermittlung der Daten an die US- 
‚Sicherheitsbehörden? Verfügen die US-Sicherheitsbehörden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 


len eingerichtet? 


. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behörden? Wie stellt Ihr Unternehmen sicher, 


dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


. Werden die an die US-Behörden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 


10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 


US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 
konkretisieren Sie Art und Umfang der Datenübermittlung? 


Soliten Sie über weitergehende Erkenntnisse und Informationen verfügen, 


wäre ich für deren Mitteilung dankbar. 
Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 
Mit freundlichen Grüßen, 


N .d.Fr.StnRG 


31 





Verteiler 


MAT A BMI-1-11e 12.pdf, Blatt 34 


.. Microsoft Deutschland GmbH 


Konrad-Zuse-Str. 1 
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Yahoo! Deutschland GmbH 
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. Google Germany GmbH 
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. Facebook Germany GmbH 
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20457 Hamburg 


Apple Deutschland GmbH 
Amulfstraße 19 
80335 München 


. YouTube 


Großer Burstah 50-52 
20457 Hamburg 


. Skype Deutschland GmbH 


Marktplatz 1 
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AOL Deutschland GmbH & Co.KG, 


Beim Strohhause 25 
20097 Hamburg 
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Dokument 2014/0061565 
Von: — Dürig, Markus, Dr. 
Gesendet: ` | . Mittwoch, 5. Februar 2014 15:36 
An: Strahl, Claudia; Spatschke, Norman; ReglT3 
Cc: Kurth, Wolfgang 
Betreff: WG: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 


Wichtigkeit: Hoch 


Sind die Mz erfolgt? Wenn nein, bitte nachhaken, wenn ja, ich bin mit dieser Fassung (hier ein Wort 
ergänzt) einverstanden, bitte diese mit el gez. Dürighochgeben. 
BG MD : 


Von: Spatschke, Norman 

Gesendet: Mittwoch, 5. Februar 2014 12:13 

An: OESBAG ; IT1. 

Cc: Dürig, Markus, Dr.; Schwárzer, Erwin; Weinbrenner, Ulrich; IT3 ; RegIT3 
Betreff: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 
Wichtigkeit: Hoch 


LK, 

Fr. Stn RG hat nach Abstimmung mit Fr. Stn um Vorlage eines erneuten Schreibens an die US-Provider 
gebeten, mit dem an Beantwortung der Fragen erinnert werden soll, die mit Schreiben vom 11.6.2013 
übermittelt wurden. 

StF hatte- mit Unterstützung von Chef BK — ein derartiges Vorgehen ggü. Fr. Stn H angeregt. Hintergrund 
ist die wohl durch US-Justizminister Holder erfolgte Lockerung der 
Datenfreigabe/Verschwiegenheitspflichten; 


Ich bitte um Mitzeichnung bzw. Ergänzung der anliegenden Vorlage bis heute 15 Uhr. Anschließend 
erlaube ich mir, von Ihrer Mz auszugehen. 


140205 StRG 
Yorlage erneutes... 


. Viele Grüße, 
N.Sp. 
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Anhang von Dokument 2014-0061565.msg 


1. 140205 StRG Vorlage erneutes Anschreiben Provider.doc 


14 Seiten 


34 


MAT A BMI-1-11e_12.pdf, Blatt 37 


35 
Referat IT 3 Berlin, den 5. Februar 2014 
IT 3- Hausruf: 1374/2308/2045 
Refi: MR Dr. Dürig/MR Dr. Mantz 
Sb: AR Spatschke 


C:\Dokumente und Einstellungen\DuerigM\Lokale 
Einstellungen\Temporary Internet Fi- 
les\Content.Outlook\K7WOXOVZ\140205 StRG 
Vorlage erneutes Anschreiben Provider.doc 


1) Frau Stn Rogall-Grothe 


Über Abdrucke: 
E MB, PStS, StnH, LLS, AL ÓS, 
Herm [T-Direktor Presse 


Herm SV IT-Direktor 


Referat IT 1 und AG ÓS I 3 haben mitgezeichnet. 


Betr.: NSA / PRISM 
Bezug: Ihr Schreiben an involvierte US-Provider vom 11.6.2013 
Anlage: -5- 

: 1. Votum 


Kenntnisnahme, Billigung und Zeichnung der beigefügten Entwürfe für er- 


neute Schreiben an die US-Provider. 


2. Sachverhalt 
Mit Schreiben vom 11. Juni 2013 hatten Sie die deutschen Niederlassun- 
gen der US-Provide 
kontaktiert, und mit insgesamt 10 Fragen zur Einbin- 
dung der Untemehmen in das Programm "PRISM" oder vergleichbarer 
Programme der NSA um Aufklärung gebeten. 
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Fünf der angeschriebenen Untemehmen antworteten im Zeitraum vom 13. 
bis 16. Juni 2013. Dabei wurde im Wesentlichen die in den Medien im Zu- 
sammenhang mit dem Programm PRISM dargestellte unmittelbare Zu- 
sammenarbeit der Untemehmen mit US-Behórden dementiert. Die Über- 
mittlung von Daten fände allenfalls im Einzelfall auf Basis der einschlägi- 
gen US-Rechtsgrundlagen auf Grundlage richterlicher Beschlüsse statt. 
Die Unternehmen et ek sich nicht unter Verweis 
auf die Konzernmütter ntwortete überhaupt 


nicht. 





3. Stellungnahme 
Hr. StF hat — mit Unterstützung Chef BK — vor dem Hintergrund, dass US- - 
Justizminister Holder kürzlich die Verschwiegenheitspflichten für Provider 
gelockert haben soll, ein erneutes Schreiben an die US-Provider angeregt, 
um hinsichtlich der zum Teil ausweichenden und unter Verweis auf beste- 
hende Verschwiegenheitspflichten erfolgten Antworten nachzuhaken. 


Die Stellungnahme entspricht im Übrigen den beigefügten Entwürfen von 


Schreiben an die US-Internetprovider. Aufgrund der unterschiedlichen 


Antworten sind verschiedene Schreiben zu erstellen. 


Dr. Dürig / Dr. Mantz Spatschke 
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Anlage 1 
Briefkopf Frau Staatssekretärin 


Anschrift 
Yahoo!, Facebook, Apple 


- gemäß Verteiler Anlage 5 - 


Betrifft: Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 


erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 
pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
Unternehmens mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge 
die Übermittlung von Daten im Einzelfall auf der Basis entsprechender 
Rechtsgrundlagen und auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnem, um die Aufklárung móglicher Ge- 
fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 








MAT A BMI-1-11e_12.pdf, Blatt 40 
-4- 


ropäischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 


ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behörden im Zusammen- 


hang mit dem Programm „PRISM“ zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
„Special Requests" an Ihr Unternehmen gerichtet und wenn ja, was 
war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behórden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behórden die Daten zur Verfügung? Auf welche Server wird dabei zu- 


rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
Sicherheitsbehórden? Verfügen die US-Sicherheitsbehörden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? | 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behórden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fálle, in denen Ihr Unternehmen die Übermittiung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behörden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 
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10: Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 
konkretisieren Sie Art und Umfang der Datenübermittlung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wáre ich Ihnen für deren Mitteilung dankbar. 


Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüfsen, 
N.d.Fr.StnRG 
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Anlage 2 


Briefkopf Frau Staatssekretärin 


Anschrift 
Microsoft 


Nachrichtlich: 
Skype 


- gemäß Verteiler Anlage 5 - 


Betrifft: Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 
erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 

pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und 


auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 


Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ge- 


40 
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fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 
ropáischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 
ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behórden im Zusammen- 


hang mit dem Programm ,PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
„Special Requests" an Ihr Unternehmen gerichtet und wenn ja, was 


war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behórden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behórden die Daten zur Verfügung? Auf welche Server wird dabei zu- 


rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
Sicherheitsbehörden? Verfügen die US-Sicherheitsbehörden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behörden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behórden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 
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10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 
konkretisieren Sie Art und Umfang der Datenübermittlung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wáre ich für deren Mitteilung dankbar. | 


Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Skype 
einzubeziehen, deren Stellungnahme auf eine entsprechende Verantwortung 
der Konzernmutter Microsoft verwiesen hat. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüften, 
N.d.Fr.StnRG 
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Anlage 3 


Briefkopf Frau Staatssekretärin 


Anschrift 
Google 


Nachrichtlich: 
YouTube 


- gemäß Verteiler Anlage 5 - 


Betrifft Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 
erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 

pflichten verwiesen und im Übrigen eine unmittelbáre Zusammenarbeit Ihres 
mit US-Geheimdienstbehórden dementiert: Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und 


auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 


Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ge- 
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fahren für die Persönlichkeits- und Datenschutzrechte der deutschen und eu- 
ropäischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 
ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behörden im Zusammen- 
hang mit dem Programm „PRISM“ zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests“ Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
„Special Requests“ an Ihr Unternehmen gerichtet und wenn ja, was 
war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behörden übermittelt? Ist dies nicht der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behörden die Daten zur Verfügung? Auf welche Server wird dabei zu- 


rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 
_ Sicherheitsbehörden? Verfügen die US-Sicherheitsbehörden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? 


7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behótden? Wie stellt Ihr Unternehmen sicher, 
dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behörden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 
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10. Beteiligt sich Ihr Unternehmen an vergleichbaren Programmen der 
US-Sicherheitsbehörden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 


konkretisieren Sie Art und Umfang der Datenübermittiung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wäre ich für deren Mitteilung dankbar. 


Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Y- 
ouTube einzubeziehen, deren Stellungnahme auf eine entsprechende Ver- 
 antwortung der Konzernmutter Google verwiesen hat. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 4 


Briefkopf Frau Staatssekretärin 


Anschrift 
AOL 


- gemäß Verteiler Anlage 5 - ‘ 


Betrifft: Mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung Ihres 
Unternehmens in US-Geheimdienstprogramme | 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013, dessen Beantwor- 


tung nach wie vor aussteht. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ge- 
fahren für die Persónlichkeits- und Datenschutzrechte der deutschen und eu- 
ropáischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutrei- 


ben. Meine Fragen lauteten wie folgt: 


1. Welche Kategorien von Daten (Verkehrsdaten, Bestandsdaten) deut- 
scher Nutzer wurden bzw. werden den US-Behórden im Zusammen- 


hang mit dem Programm ,PRISM" zur Verfügung gestellt? 


2. Bitte konkretisieren und quantifizieren Sie die im Einzelnen betroffe- 


nen Daten? 


3. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
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„Special Requests“ an Ihr Unternehmen gerichtet und wenn ja, was 


war deren Gegenstand? 


4. Werden ausschließlich Daten von deutschen Nutzern an die US- 
Behörden übermittelt? Ist dies nicht.der Fall, bitte ich um Mitteilung 
welche weiteren Staatsbürger betroffen sind? 


5. Welche organisatorische Einheit Ihres Unternehmens stellt den US- 
Behörden die Daten zur Verfügung? Auf welche Server wird dabei zu- 
rückgegriffen und wo befinden sich diese? 


6. Wie erfolgt die Übermittlung der Daten an die US- 

. Sicherheitsbehórden? Verfügen die US-Sicherheitsbehórden über ei- 
nen unmittelbaren Zugriff auf die Daten? Wurden spezielle Schnittstel- 
len eingerichtet? 

7. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deut- 
scher Nutzer an die US-Behórden? Wie stellt Ihr Unternehmen sicher, 


dass die Voraussetzungen der jeweiligen Rechtsgrundlage vorliegen? 


8. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten 
deutscher Nutzer abgelehnt hat? Wenn ja, aus welchen Gründen? 


9. Werden die an die US-Behörden übermittelten Daten durch Ihr Unter- 


nehmen weiter verarbeitet? 


10. Beteiligt sich Ihr Untemehmen an vergleichbaren Programmen der 
US-Sicherheitsbehórden, in deren Zusammenhang umfassend Daten 
deutscher Nutzer an Behörden übermittelt werden? Wenn ja, bitte 
konkretisieren Sie Art und Umfang der Datenübermittlung? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wäre ich für deren Mitteilung dankbar. 


Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 
Mit freundlichen Grüßen, 


N.d.Fr.StnRG 


Verteiler 
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. Microsoft Deutschland GmbH 


Konrad-Zuse-Str. 1 
85716 Unterschleißheim 


Yahoo! Deutschland GmbH 
Theresienhóhe 12 
D - 80339 München 


. Google Germany GmbH 


ABC-Strasse 19 
20354 Hamburg 


. Facebook Germany GmbH 


Großer Burstah 50-52 
20457 Hamburg 


. Apple Deutschland GmbH 


Amulfstraße 19 
80335 München 


. YouTube 


Großer Burstah 50-52 
20457 Hamburg 


. Skype Deutschland GmbH 


Marktplatz 1 
14532 Kleinmachnow 


. AOL Deutschland GmbH & Co.KG, 


Beim Strohhause 25 
20097 Hamburg 


Anlage 5 
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Dokument 2014/0061704 
Von: Dürig, Markus, Dr. 
Gesendet: Mittwoch, 5. Februar 2014 15:58 
An: Spatschke, Norman; ReglT3 
Betreff: WG: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 


Ein Wort ergänzt, so einverstanden 
Dü € 


Von: Spatschke, Norman 

Gesendet: Mittwoch, 5. Februar 2014 15:49. 

An: Dürig, Markus, Dr. 

Betreff: AW: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 


Lieber Herr Dürig, 
m.d.B. um Billigung dieser Fassung (bereits RS). 


Gruß, n.Sp. 





140205 RS StRG 
. Vorlage erneute... 





Von: Dürig, Markus, Dr. 

Gesendet: Mittwoch, 5. Februar 2014 15:36 

An: Strahl, Claudia; Spatschke, Norman; RegIT3 

Cc: Kurth, Wolfgang 

Betreff: WG: EILT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 
Wichtigkeit: Hoch 


Sind die Mz erfolgt? Wenn nein, bitte nachhaken, wenn ja, ich bin mit dieser Fassung (hierein Wort 
ergänzt) einverstanden, bitte diesemitelgez. Dürig ln 
BG MD 


Von: Spatschke, Norman 

Gesendet: Mittwoch, 5. Februar 2014 12:13: 

An: OEST3AG ; ITI_ ; 

Cc: Dürig, Markus, Dr.; Schwarzer, Erwin; Welhbeenner Ulrich; IT: 3 ; RegIT3 
Betreff: ELT SEHR! NSA/PRISM, hier: Erneutes Schreiben an Provider 
Wichtigkeit: Hoch 


LK, 

Fr. Stn RG hat nach Abstimmung mit Fr. Stn um Vorlage eines erneuten Schreibens an die US-Provider 
gebeten, mitdeman Beantwortung der Fragen erinnert werden soll, die mitSchreiben vom 11.6.2013 
übermittelt wurden. 
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StF hatte - mit Unterstützung von Chef BK — ein derartiges Vorgehen ggü. Fr. Stn H ange regt. Hintergrund 
ist die wohl durch US-Justizminister Holder erfolgte Lockerung der 
Datenfreigabe/Verschwiegenheitspflichten. 


Ich bitte um Mitzeichnung bzw. Ergänzung deranliegenden Vorlagebis heute 15 Uhr. Anschließend 
erlaube ich mir, von Ihrer Mz auszugehen. 

« Datei: 140205 StRG Vorlage erneutes Anschreiben Provider.doc»» 

Viele Grüße, 

N.Sp. 
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Anhang von Dokument 2014-0061704.msg 


1. 140205 RS StRG Vorlage erneutes Anschreiben Provider Mz IT 14 Seiten 
1 OES I 3.doc 
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Referat IT 3 Berlin, den 5. Februar 2014 
IT 3— 13002/1#3 Hausruf: 1374/2308/2045 
Refi: MR Dr. Dürig/MR Dr. Mantz 

Sb: AR Spatschke 


Frau Stn Rogall-Grothe 


Über Abdrucke: 
MB, PStS, PStK, StnH, LLS, AL OS, 
Herm IT-Direktor Presse 


Herm SV IT-Direktor 
Referat IT 1 und AG OS I 3 haben mitgezeichnet. 


Betr.: NSA / PRISM 
Bezug: Ihr Schreiben an involvierte US-Provider vom 11.6.und 9.8.2013 
Anlage: -5- 


1. Votum 
Kenntnisnahme, Billigung und Zeichnung der beigefügten Entwürfe für er- 
neute Schreiben an die US-Provider. 


2. Sachverhalt | 
Mit Schreiben vom 11. Juni und einer Erinnerung vom 9. August 2013 hat- 
ten Sie die deutschen Niederlassungen der US-Provider tl m. 
kontaktiert, und 
mit insgesamt acht Fragen zur Einbindung der Unternehmen in das Pro- 
gramm “PRISM* oder vergleichbarer Programme der NSA um Aufklärung 
gebeten. 
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Fünf der angeschriebenen Unternehmen antworteten im Zeitraum vom 13. 
bis 16. Juni 2013. Dabei wurde im Wesentlichen die in den Medien im Zu- 
sammenhang mit dem Programm PRISM dargestellte unmittelbare Zu- 
sammenarbeit der Unternehmen mit US-Behörden dementiert. Die Über- 
mittlung von Daten fände allenfalls im Einzelfall auf Basis der einschlägi- 
gen US-Rechtsgrundlagen auf Grundlage richterlicher Beschlüsse statt. 
Die Unternehmen SEP | ADEL sich nicht unter Verweis 


auf die Konzernmütter BEN. E oc der Nachfrage vom 9. 


| August 2013 antwortete fe haupt nicht. 


3.. Stellungnahme 
© Hr. St F hat — mit Unterstützung Chef BK — vor dem Hintergrund, dass US- 
Justizminister Holder kürzlich die Verschwiegenheitspflichten für Provider 
gelockert haben soll, ein erneutes Schreiben an die US-Provider angeregt, 
um hinsichtlich der zum Teil ausweichenden und unter Verweis auf beste- 
hende Verschwiegenheitspflichten erfolgten Antworten nachzuhaken. 


Die Stellungnahme entspricht im Übrigen den beigefügten Entwürfen von 
Schreiben an die US-Internetprovider. Aufgrund der unterschiedlichen 
Antworten sind verschiedene Schreiben zu erstellen. 


lektr. gez. 





C Elektr. gez. 
Dr. Dürig / i. V. Dr. Mantz Spatschke 
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Anlage 1 
Briefkopf Frau Staatssekretàrin 


Anschrift 
Yahoo!, Facebook, Apple 


- gemäß Verteiler Anlage 5 - 


Betrifft: Meine Schreiben vom 11. Juni und 9. August 2013 bezüglich einer 
Beteiligung Ihres Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 


erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 
pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
Unternehmens mit US-Geheimdienstbehórden dementiert. Allenfalls erfolge 
die Übermittlung von Daten im Einzelfall auf der Basis entsprechender 
Rechtsgrundlagen und auf der Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnem, um die Aufklärung möglicher Ein- 
griffe in die Persónlichkeits- und Datenschutzrechte der deutschen und euro- 
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páischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutreiben. 


Meine Fragen lauteten wie folgt: 


1. Arbeitet hr Unternehmen mit den US-Behórden im Zusammenhang 
mit dem Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher 
Nutzer betroffen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfü- 


gung gestellt? 


4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 


9. In welcher Form erfolgt die Übermittlung der Daten an die US- 
Behórden? 


.6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten 
deutscher Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Da- 
ten deutscher Nutzer abgelehnt hat? Bejahendenfalls aus welchen 
Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
deutsche Nutzer betreffende „Special Requests“ an Ihr Unterneh- 
men gerichtet und — bejahendenfalls — was war deren Gegenstand? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wáre ich Ihnen auch für deren Mitteilung dankbar. 
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Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 2 
Briefkopf Frau Staatssekretärin 
Anschrift 


Microsoft 


Nachrichtlich: 
Skype 


- gemäß Verteiler Anlage 5 - 


Betrifft Meine Schreiben vom 11. Juni und 9. August 2013 bezüglich einer | 
Beteiligung Ihres Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 
erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 
pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
Unternehmens mit US-Geheimdienstbehórden dementiert. Allenfalls erfolge 
die Übermittlung von Daten im Einzelfall auf der Basis entsprechender 
Rechtsgrundlagen und auf der Grundlage richterlicher Beschlüsse. 
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Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 


schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 


Beantwortung meiner Fragen zu erinnem, um die Aufklärung möglicher Ein- 


griffe in die Persönlichkeits- und Datenschutzrechte der deutschen und euro- 
päischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutreiben. 


Meine Fragen lauteten wie folgt: 





. Arbeitet Ihr Unternehmen mit den US-Behörden im Zusammenhang 
mit dem Programm „PRISM“ zusammen? 


. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher 
Nutzer betroffen? 


. Welche Kategorien von Daten werden den US-Behörden zur Verfü- 
gung gestellt? 


. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 


. In welcher Form erfolgt die Übermittlung der Daten an die US- 
Behórden? 


Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten 
deutscher Nutzer an die US-Behórden? 


Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Da- 
ten deutscher Nutzer abgelehnt hat? Bejahendenfalls aus welchen 
Gründen? 


Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehórden. Wurden solche 
deutsche Nutzer betreffende „Special Requests" an Ihr Unterneh- 


men gerichtet und — bejahendenfalls — was war deren Gegenstand? 
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Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wäre ich auch für deren Mitteilung dankbar. 


Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Skype: 
einzubeziehen, das in seiner Stellungnahme auf eine entsprechende Ver- 
antwortung der Konzernmutter Microsoft verwiesen hat. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


Mit freundlichen Grüßen, 
N.d.Fr.StnRG 
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Anlage 3 


Briefkopf Frau Staatssekretärin 


Anschrift 
Google 


Nachrichtlich: 
YouTube 


- gemäß Verteiler Anlage 5 - 


Betrifft Meine Schreiben vom 11. Juni und 9. August 2013 bezüglich einer 


Beteiligung Ihres Unternehmens in US-Geheimdienstprogramme 


Sehr geehrte Damen und Herren, 





ich komme zurück auf mein Schreiben vom 11. Juni 2013 und Ihr daraufhin 


erfolgtes Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheits- 
pflichten verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung 
von Daten im Einzelfall auf der Basis entsprechender- Rechtsgrundlagen und 
auf der Grundlage richterlicher Beschlüsse. 
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Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnem, um die Aufklärung möglicher Ein- 
griffe in die Persönlichkeits- und Datenschutzrechte der deutschen und euro- 
päischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutreiben. 


Meine Fragen lauteten wie folgt: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden im Zusammenhang 
mit dem Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher 
Nutzer betroffen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfü- 
gung gestellt? 


4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 


5. In welcher Form erfolgt die Übermittiung der Daten an die US- 
Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten 
deutscher Nutzer an die US-Behórden? 


7. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Da- 
ten deutscher Nutzer abgelehnt hat? Bejahendenfalls aus welchen 
Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
deutsche Nutzer betreffende „Special Requests“ an Ihr Unterneh- 


men gerichtet und — bejahendenfalls — was war deren Gegenstand? 
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Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 


wäre ich auch für deren Mitteilung dankbar. 


ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen 
YouTube einzubeziehen, das in seiner Stellungnahme auf eine entsprechen- 
de Verantwortung der Konzernmutter Google verwiesen hat. 


Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 


. Mit freundlichen Grüßen, 
N.d.Fr.StnRG. 
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Anlage 4 


Briefkopf Frau Staatssekretärin 


Anschrift 
AOL 


- gemäß Verteiler Anlage 5 - 


Betrifft: Meine Schreiben vom 11. Juni und 9. August 2013 bezüglich einer 


Beteiligung Ihres Unternehmens in US-Geheimdienstprogramme 
Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013, dessen Beantwor- 


tung nach wie vor aussteht. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Ver- 
schwiegenheitspflichten gelockert hat, erlaube ich mir, an die umfassende 
Beantwortung meiner Fragen zu erinnern, um die Aufklärung möglicher Ein- 
griffe in die Persönlichkeits- und Datenschutzrechte der deutschen und euro- 
päischen Bürgerinnen und Bürger, die Ihre Angebote nutzen, voranzutreiben. 
Meine Fragen lauteten wie folgt: x 

1. Arbeitet Ihr Unternehmen mit den US-Behörden im Zusammenhang 

mit dem Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher 
Nutzer betroffen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfü- 


gung gestellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 


5. In welcher Form erfolgt die Übermittlung der Daten an die US- | 
Behörden? 


6. "Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten 
deutscher Nutzer an die US-Behörden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Da- 
ten deutscher Nutzer abgelehnt hat? Bejahendenfalls aus welchen 
Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Be- 
standteil der Anfragen der US-Sicherheitsbehörden. Wurden solche 
deutsche Nutzer betreffende „Special Requests“ an Ihr Unterneh- 
men gerichtet und — bejahendenfalls — was war deren Gegenstand? 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, 
wäre ich für deren Mitteilung dankbar. 

Bitte lassen Sie mir Ihre Antwort bis zum 28. Februar 2014 zukommen. 
Mit freundlichen Grüßen, 


N.d.Fr.StnRG 
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. Microsoft Deutschland GmbH 


Konrad-Zuse-Str. 1 
85716 Unterschleißheim | 


Yahoo! Deutschland GmbH 
Theresienhöhe 12 
D - 80339 München 


. Google Germany GmbH 


ABC-Strasse 19 
20354 Hamburg 


. Facebook Germany GmbH 


Großer Burstah 50-52 
20457 Hamburg 


. Apple Deutschland GmbH 


Arnulfstraße 19 
80335 München 


. YouTube 


Großer Burstah 50-52 — 
20457 Hamburg : 


Skype Deutschland GmbH 
Marktplatz 1 
14532 Kleinmachnow 


. AOL Deutschland GmbH & Co.KG, 


Beim Strohhause 25 
20097 Hamburg 


Anlage 5 
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Dokument 2014/0071579 
Von: Spatschke, Norman 
Gesendet: Dienstag, 11. Februar 2014 17:42 2 
An: StRogall-Grothe_; Franßen-Sanchez de la Cerda, Boris 
Cc: ITD ;IT3 ; Dürig, Markus, Dr.; Mantz, Rainer, Dr.; Loose, Katrin; RegiT3; 
Mammen, Lars, Dr. 
Betreff: AW: Schreiben an die US- Provider 


Lieber Herr Franßen, 
ich melde Vollzug, die Schreiben sind raus. Wie mir Fr. Krahn sagte, sollen sie morgen noch auf dem 
Postweg versendet werden. 


@RegIT3 Bitte zVg. 


I RA [ia Ivi 


Schreiben des Schreiben des Schreiben des Schreiben des Schreiben des Schreiben des 
Bundesministeriu... Bundesministeriu... Bundesministeriu... Bundesministeriu... Bundesministeriu... Bundesministeriu... 


Freundliche Grüße, 
N. Spatschke 
BMI - IT 3; -2045 


s$ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 


Von: StRogall-Grothe 

Gesendet: Dienstag, 11. Februar 2014 16:31 

An: Spatschke, Norman 

Cc: ITD ; IT3_; Dürig, Markus, Dr.; Mantz, Rainer, Dr.; Loose, Katrin; FranBen-Sanchez de la Cerda, 
Boris 

Betreff: Schreiben an die US-Provider 


Sehr geehrter Herr Spatschke, 


anbei die Schreiben an die US-Providerfür die elektronische Übersendung. Die angekündigten 
Ausgangsschreiben dürften bei Herrn Dr. Mantz aufzufinden sein. Erhat sich im Juni 2013 um die 
Versendung gekümmert. 

< Datei: 1102 AOL pdf >> < Datei: 1102 _Apple.pdf>> «Datei: 1102 Facebook.pdf»» «Datei: 
1102 Google.pdf»» «Datei: 1102. Microsoft, Skype.pdf >> < Datel 1102_Yahoo.pdf >> 


Mit freundlichen Grüßen 
i. A. Kathrin Krahn 


Büro der Staatssekretärin und 
Beauftragten der Bundesregierung 
für Informationstechnik 

Cornelia Rogall-Grothe 
Bundesministerium des Innern 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 - 18681-1107 











Fax: 030 - 18681- 1135 
email: strg@bmi.bund.de 
kathrin.krahn@bmi.bund.de 
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Anhang von Dokument 2014-0071579.msg 


1. Schreiben des Bundesministeriums des Innern vom 11. Februar 
2014; vorab per E-Mail.msg 


2. [1]Schreiben des Bundesministeriums des Innern vom 11. 
Februar 2014; vorab per E-Mail.msg  - 


3. [2]Schreiben des Bundesministeriums des Innern vom 11. 
Februar 2014; vorab per E-Mail.msg 


4. [3]Schreiben des Bundesministeriums des Innern vom 11. 
Februar 2014; vorab per E-Mail.msg 


5. [4]Schreiben des Bundesministeriums des nem vom 11. 
Februar 2014; vorab per E-Mail.msg 


6. [5]Schreiben des Bundesministeriums des inam vom 11. 
Februar 2014; vorab per E-Mail.msg 


5 


ul 


Seiten 


Seiten 


Seiten 


Seiten 


Seiten 


Seiten 
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Von: I3. ; 

Gesendet: Dienstag, 11. Februar 2014 17:36 

An: ‘AOLKontakt@aol.com' 

Betreff: - Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
perE-Mail 

IT 3 - 17002/9#1 


Sehr geehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
. vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitu ng. 


E] 


1102, AOL.pdf 


Anlage 


® 


image2013-D6-11... 


Herzliche GrüBe 

Im Auftrag 

Normen Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman. Spatschke Gbrri. bund. de 


s Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 


69 











MAT A BMI-1-11e_12.pdf, Blatt 72 


70 


Anhang von Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102_AOL.pdf l 1 Seiten 
2. image2013-06-11-191158.pdf 2 Seiten 
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ihe Bundesministerium 
Ts des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin 
Beauftragte der Bundesregierung 


Pamdesmmistenum dés Innern, UE Heri für Informationstechnik 


AOL Deutschland GmbH & Co. KG 
Postfach 101110 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20007 Hamburg TEL 49 (0)30 18 681-1109 


FAX +49 (0)30 18 681-1135 
- Vorab per E-Mail bzw. Fax - EMAL StRG@bmi.bund.de™ 


DATUM 11. Februar 2014 
AKTENZEICHEN IT 3- 17002/9#1 


Sehr geehrte Damen und Herren, . 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen, dessen Beantwortung nach 
wie vor aussteht. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


) [ 3 
/ BL le / le 
1 f 
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Bundesministerium 
| des Innern 


Cornelia Rogall-Grothe 
Staatssekrelärin 
Beauftragte der Bundesregierung 


Bundesministeram des Innern, 11014 Berka für Informationstechnik 


AOL Deutschland GmbH & Co. KG 


Postfach 101110 HAUSANSCHRIFT  Alt-Moabit 101 D, 10559 Berlin 
20007 Hamburg zi +49 (030 18 681-1109 

FAX +49 (0)30 18 681-1135. 
- vorab per E-Mail bzw. Fax - Ewan SIRG@bmi.bund.de 


DATUM 1%. Juni 2013 
AKTENZEICHEN IT 4 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM“ oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den beeen im Zusammenhang mit dem 
Programm „PRISM“ zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 








AR 


SEITE 2 VON 2 
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Bundesministerium 
des Innern 


4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf weicher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


T: 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:34 

An: support-de google.com; rbremer@google.com 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 


IT3 - 17002/9#1 


Sehrgeehrter Herr Bremer, 
sehr geehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Gescháftsleitung. 


[| 


1102 Google.pdf 


Anlage 


1) Li 


image2013-D6-11...image2013-D6-11... 


Herzliche Grüße 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 

PC-Fax: (030)18 681 59352 


mailto: Normen. Spatschke@brri. bund. de 


s$ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [1]Schreiben des Bundesministeriums des 


Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102, Google.pdf 2 Seiten 
2. image2013-06-11-191028.pdf 2 Seiten 
3. image2013-06-11-191245.pdf i 2 Seiten 
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4R Bundesministerium 
des Innem 


RANE 


Cornelia Rogall-Grothe 
-Staatssekretärin 
Beauftragte der Bundesregierung 


Bundesministerium des Innem, 11014 Berlin für Informationstechnik - 


Google Germany GmbH T 
ABC-Strasse 19 | HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20354 Hamburg TEL +49 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
nachrichtlich EMAIL StRG@bmi.bund.de 
YouTube 
ABC-Strasse 19 DATUM 11. Februar 2014 


20354 Hamburg AKTENZEICHEN IT 3— 17002/9#1 


- vorab per E-Mail bzw. Fax - 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten ver- 
wiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens mit 
US-Geheimdienstbehórden dementiert. Allenfalls erfolge die Übermittlung von Daten 
im Einzelfall auf der Basis enteprecnenaer Rechtsgrundlagen ung auf der NOS 
richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 
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4R Bundesministerium 
e des Innern 


seme 2VON2 Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Youtube ein- 
zubeziehen, das in seiner Stellungnahme auf eine entsprechende Verantwortung der . 
Konzernmutter Google verwiesen hat. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. Márz 2014 zukommen. 


Mit freundlichen Grüßen 
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Bundesministerium 


des Innern 
Cornelia KogalEGrothe 
Staatssekretärin 
Beauftragte der Bundesregierung 

PET IL IE ER 1103 Bn für Informationsiechnik 

Google Germany GmbH 

ABC-Straße 19 HAUSANSCHRIFT Alf-Moabil 101 D, 10559 Berlin 

20354 Hamburg TEL +49 (0)30 18 681-1109 

| Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Em SIRG@bmi.bund.de 


DATUM 41. Juni 2013 
AKTENZEICHEN IT 1 — 1700071782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM” oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den Pen im Zusammenhang mit dem 
Programm „PRISM“ zusammen? | 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
9. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


al fete 
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AR Bundesministerium 
"X M desinnern 


Rese NUN 


Bundesministenum des Innern, 11014 Bern 


YouTube 
ABC-Straße 19 
20354 Hamburg 


- vorab per E-Mail bzw. Fax - 


Sehr geehrte Damen und Herren, 


Cornelia Rogall-Grothe 
Staatssekrelärin . 

Beauftragte der Bundesregierung 

für Informationstechnik 


Alt-Moabit 101 D, 10559 Berlin 


+49 (0)30 18 684-1109 
+49 (0)30 18 681-1135 
SIRG@bmi.bund.de 


11. Juni 2013 
IT 1 - 1700011782 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 


personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 


von den US-Sicherheitsbehórden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- - 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 


US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden im Zusammenhang mit dem 


Programm „PRISM“ zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 


fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 


stellt? 
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WS? — 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
e scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien len Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:20 

An: . 

Betreff: chreiben des BundesminiSteriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 


IT3 - 17002/9#1 
Sehrgeehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitung. 


11 


Anlage 


L. 


image2013-06-11... 


Herzliche GrüBe 
Im Auftrag 
Norman Spatschke 


Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman, SpatschkeGbrri. bund. de 


sA Heifen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:20 

An: ‘empfang1.ger@apple.com' l 

Betreff: ; Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 

IT3 - 17002/9#1 


Sehr geehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitung. 


L| 


1102, Apple.pdf 


Anlage 
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image2013-D6-11... 


Herzliche Grüße 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman, Spatschke@bmi.bund.de 


4 Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [2]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102_Apple.pdf l 1 Seiten 
2. image2013-06-11-191222.pdf | 2 Seiten 
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Bundesministerium 
des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin 
Beauftragte der Bundesregierung 


Bundesministerium des Innern, 11014 Berlin für Informationstechnik 


Apple Deutschland GmbH l 
Arnulfstraße 19 . HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
80335 München TEL +49 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EMAL StRG@bmi.bund.de 


DATUM 11, Februar 2014 
AKTENZEICHEN IT 3— 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 


. Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 


2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


/ 7 - file 
( 
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RR Bundesministerium 
-E des Innern 


Cornelia Rogall-Grothe 


Staatssekretärin 

Beauftragte der Bundesregierung 
Bundesministerium des inpe, 11014 Berin für Informationstechnik 
Apple Deutschland GmbH EL 
Amulfstraße 19 HAUSANSCHRET All-Moabit 101 D, 10559 Berlin 
80335 München a +49 (0)90 18 681-1109 

rax +49 (0)30 18 681-1135 

- vorab per E-Mail bzw. Fax - EMAL SIRG@bmibund.de 


DATUM 11. Juni 2013 | 
AKTENZEICHEN [T 1 — 17000/17#2 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehórden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behórden im Zusammenhang mit dem 
Programm „PRISM“ zusammen? l 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 

| Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? | 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. ` 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. - 


Mit freundlichen Grüßen 


la, tt - 
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Von: I3. 

Gesendet: Dienstag, 11. Februar 2014 17:17 

An: 'Gunnar Bender' 

Betreff: ; Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
l i per E-Mail 

IT3 - 17002/9#1 


SehrgeehrterHerr Bender, 
sehrgeehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitung. 


E 


1102, Facebook.pdf 


Anlage 


u 


image2013-06-11... 


Herzliche Grüße 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman. Spatschke @bni. bund. de 


st Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [3]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102_Facebook.pdf 1 Seiten 
2. image2013-06-11-191101.pdf 2 Seiten 
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MR Bundesministerium 
des Innern 
Cornelia Rogall-Grothe 
Staatssekretärin 


Beauftragte der Bundesregierung 


Bundesministerium des Innern, 11014 Berlin für Informationstechnik 


Facebook Germany GmbH 
Großer Burstah 50-52 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20457 Hamburg TEL +49 (0)30 18 681-1109 
Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - E-MAIL StRG@bmi.bund.de 


DATUM 11. Februar 2014 
AKTENZEICHEN [T 3—17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittiung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und informationen verfügen, wäre ich 


Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


/ elt B / ole 
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RR | Bundesministerium 
dV | des Innern 


Cornelia Rogall-Grothe 


Staatssekretärin 
"P Beauftragte der Bundesregierung 
ENTE ME UM Ren für Informationstechnik 
Facebook Germany GmbH 
Großer Burstah 50-52 HAUSANSCHRIFT All-Moabit 101 D, 10559 Berlin 
20457 Hamburg . FE re, «49 (0)30 18 681-1109 
Fax +49 (0)30 18 681-1135 


- vorab per E-Mail bzw. Fax - Em SIRGObmi.bund.de 


DATUM 11. Juni 2013 
AKTENZEICHEN IT 1 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 

| schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mógliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 

e US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- Behörden i im Zusammenhang mit dem 
Programm „ PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stelit? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
Scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


pnt It 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:12 

An: 'sterlj(G yahoo-inc.com' 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 

IT 3 - 17002/9#1 


Sehr geehrte Damen und Herren, 

das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Gescháftsleitung. 


L| 


1102, Yahoo.pdf 


Anlage 
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Herzliche Grüße 

Im Auftrag 

- Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman, Spatschke@brri. bund. de 


ys Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [4]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102, Yahoo.pdf l 1 Seiten 
2. image2013-06-11-190949.pdf 2 Seiten 
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Bundesministerium 
des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin — 
Beauftragte der Bundesregierung 


Bundesministerium des Innern, 11014 Berlin für Informationstechnik 


Yahoo! Deutschland GmbH 
Theresienhöhe 12 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
80339 München TEL +49 (0)30 18 681-1109 


l FAx +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EMAL StRG@bmi.bund.de 


r 


DATUM 11. Februar 2014 
AKTENZEICHEN IT 3-- 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persónlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. | 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wáre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


fet - folme 


Ü 
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| Bundesministerium 
des Innern 


Cornelia Rogall-Grothe 
Staatssekrefárin 
Beauftragte der Bundesregierung 


Honoa caer dee ase DON Gera für Informationstechnik 


Yahoo! Deutschland GmbH 
Theresienhóhe 12 HAUSANSCHAIFI All-Moabit 101 D, 10559 Berlin 
80339 München meL +48 {0)30 18 681-1109 

l Fx +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - | Ewa. SIRG@bmi.bund.de 


OATUM 11. Juni 2013 
AKTENZEICHEN [T 1 — 1700011742 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehórden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM* oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- Penoreens im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
9. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fálle, in denen Ihr Untemehmen die Übermittlung von Daten deut- 
. Scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende ,Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklárung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


WA 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:09 

An: - 'prserv@microsoft.com': 

Cc: 'prteam@skype.net' 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
perE-Mail ` 


IT 3 - 17002/9#1 


Sehrgeehrte Damen und Herren, 


L] 


1102 Microsoft, 
Skype.pdf 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Geschäftsleitung. 


Anlage 


UNAM E 


image2013-06-11...image2013-06-11.., 


Herzliche Grüße 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Normen. Spatschke@bni, bund, de 


w^ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [5]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102 Microsoft, Skype.pdf 2 Seiten 
2. image2013-06-11-190912.pdf 2 Seiten 
3. image2013-06-11-191131.pdf 2 Seiten 
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AR Bundesministerium 
> des Innern 


Cornelia Rogall-Grothe 


Staatssekretärin 
Beauftragte der Bundesregierung 

Bundesministerium des Innern, 11014 Berlin - für Informationstechnik 
Microsoft Deutschland GmbH 
Konrad-Zuse-Str. 1 ` HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
85716 Unterschleißheim TEL +49 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
nachrichtlich EMAL StRG@bmi.bund.de 
Skype Deutschland GmbH l 
Konrad-Zuse-Str. 1 DATUM 11. Februar 2014 
85716 Unterschleißheim AKTENZEICHEN IT 3 ~ 17002/98H1 


- Vorab per E-Mail bzw. Fax - 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. \ 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten ver- 
wiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens mit 
US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von Daten 
im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der Grundlage 
richterlicher Beschlüsse. | ' 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 2 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wáre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 
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4R Bundesministerium 
des Innern 





SETE2VON? Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Skype einzu- 
beziehen, das in seiner Stellungnahme auf eine entsprechende Verantwortung der 
Konzernmutter Microsoft verwiesen hat. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. Márz 2014 zukommen. 


Mit freundlichen Grüßen 


agate _ ole 
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AR Bundesministerium 
TS des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin 
Beauftragte der Bundesregierung 


Bundesministerium des Innern; 11014 Berin für Informationstechnik 


Microsoft Deutschland GmbH 


Konrad-Zuse-Str. 1 RAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
85716 Unterschleißheim | ri. 449 (020 18 681-1109 

rax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EMAL SIRG@bmibund.de 


patum 11. Juni 2013 
AKTENZEICHEN IT 1 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind i im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
9. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Untemehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 


den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


T- 


102 





MAT A BMI-1-11e_12.pdf, Blatt 106 


103 

Bundesministerium 
des Innern 

Cornelia Rogall-Grothe 

Staatssekretärin 

"T Beauftragte der Bundesregierung 
BSR nents TIT Bete für Informationstechnik 
Skype Deutschland GmbH 
Konrad-Zuse-Str. 1 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
85716 Unterschleißheim TEL +49 0)30 18 681-1109 
FAX +49 {0)30 18 681-1135 

- vorab per E-Mail bzw. Fax - EMAL SIRG@bmi.bund.de 


Darum 11. Juni 2013 
AKTENZEICHEN IT 1 -- 1700047482 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM” oder vergleichbare Programme der 
US-Sicherheitsbehörden. | 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden i im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur nn ge- 
stellt? 
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SERVON? 4 In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
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Dokument 2014/0071898 
Von: Spatschke, Norman 
Gesendet: Mittwoch, 12. Februar 2014 09:54 
An: StHaber_; PGNSA; MB_ 
Cc: Dimroth, Johannes, Dr.; Weinbrenner, Ulrich; Kibele, Babette, Dr.; RegIT3; 
Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Betreff: WG: Schreiben an die US-Provider 


LK, 
beigefügt übersende ich zK die Abdrucke dergestern elektronisch versandten (Erinnerungs)Schreiben an 
die US-Provider. Abdrucke der Vorlage laufen auf Sie zu. 


Beste Grüfte, 
N.Sp. 


Von: Spatschke, Norman 

Gesendet: Dienstag, 11. Februar 2014 17:42 

An: StRogall-Grothe ; FranBen-Sanchez de la Cerda, Boris 

Cc: ITD ; IT3 ; Dürig, Markus, Dr.; Mantz, Rainer, Dr.; Loose, Katrin; RegIT. 3; Mammen, iare Dr. 
Betreff: AW: Schreiben an die US- Provider 


Lieber Herr Franßen, 
ich melde Vollzug, die Schreiben sind raus. Wie mir Fr. Krahn sagte, sollen sie morgen noch auf dem 
Postweg versendet werden. 


(Reg IT3 Bitte zVg. 


MM M M I 


Schreiben des Schreiben des Schreiben des Schreiben des Schreiben des Schreiben des 
Bundesministeriu... Bundesministeriu... Bundesministeriu... Bundesministeriu.,. Bundesministeriu... Bundesministeriu.. , 


Freundliche Grüße, 
N. Spatschke 
BMI - iT 3; -2045 


i Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 


Von: StRogall-Grothe_ 

Gesendet: Dienstag, 11. Februar 2014 16:31 

An: Spatschke, Norman 

Cc: ITD ; IT3 ; Dürig, Markus, Dr.; Mantz, Rainer, Dr.; Loose, Katrin; FranBen-Sanchez de la Cerda, 
Boris 

Betreff: Schreiben an die US-Provider 


Sehr geehrter Herr Spatschke, 
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anbei die Schreiben an die US-Provider für die elektronische Übersendung. Die angekündigten 
Ausgangsschreiben dürften bei Herrn Dr. Mantz aufzufinden sein. Erhat sich im Juni 2013 um die 
. Versendung gekümmert. 

< Datei: 1102, AOL.pdf >> < Datei: 1102 Apple.pdf»» «Datei: 1102 Facebook.pdf»» «Datei: 
1102 Google.pdf»» « Datei: 1102 Microsoft, Skype.pdf >> < Datei: 1102 Yahoo.pdf >> 

Mit freundlichen Grüßen 

1. A. Kathrin Krahn 


Büro der Staatssekretärin und 
Beauftragten der Bundesregierung 
für Informationstechnik 
Cornelia Rogall-Grothe 
Bundesministerium des Innern 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 - 18681-1107 

Fax: 030 - 18681- 1135 

email: strg@bmi.bund.de 
kathrin.krahn@bmi.bund.de 
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Anhang von Dokument 2014-0071898.msg 


1. 


2. 


3. 


4. 


Schreiben des Bundesministeriums des Innern vom 11. Februar 


2014; vorab per E-Mail.msg 


[1]Schreiben des Bundesministeriums des Innern vom 11. 
Februar 2014; vorab per E-Mail.msg 


[2]Schreiben des Bundesministeriums des Innern vom 11. 
Februar 2014; vorab per E-Mail.msg 


[3]Schreiben des Bundesministeriums des Innern vom 11. . 
Februar 2014; vorab per E-Mail.msg _ 


. [4]Schreiben des Bundesministeriums des Innern vom 11. 


Februar 2014; vorab per E-Mail.msg 


. [5]Schreiben des Bundesministeriums des Innern vom 11. 


Februar 2014; vorab per E-Mail.msg 


5 


co 


un 


Seiten 


Seiten 


’ * 
Seiten 


Seiten 


Seiten 


Seiten 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:36 

An: ‘AOLKontakt@aol.com' 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 


per E-Mail 
IT 3 - 17002/9#1 
Sehrgeehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitung. 


a 


1102, AOL.pdf 


Anlage 


.image2013-06-11... 


Herzliche GrüBe 

Im Auftrag 

Normen Spatschke © 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 
Telefon: (030)18 681 2045 

PC-Fax: (030)18 681 59352 


meilto: Norman. Spatschke bri. bund. de 


yh Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von Schreiben des Bundesministeriums des 
. Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102, AOL. pdf i 1 Seiten 
2. image2013-06-11-191158.pdf 2 Seiten 
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Bundesministerium 
$ des Innern 
Cornelia Rogall-Grothe 
Staatssekretärin 
"» l l - Beauftragte der Bundesregierung 
Bundesministerium des Innern, 11014 Berlin für Informationstechnik 
AOL Deutschland GmbH & Co. KG 
Postfach 101110 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20007 Hamburg TEL +49 (0)30 18 681-1109 
l Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EMAL StRG@bmi.bund.de 


DATUM 11. Februar 2014 
AKTENZEICHEN IT 3— 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen, dessen Beantwortung nach 
wie vor aussteht. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


eget a je le 
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Bundesministerium 
| des Innern 


Cornelia Rogall-Grothe 


Siaalssekrelärin 

Beauftragte der Bundesregiening 
Bundesrsinisierium des Innern, 11014 Berlin für Informationstechnik 
AOL Deutschland GmbH & Co. KG 
Postfach 101110 HAUSANSCHRIFT  Alt-Moabit 101 D, 10559 Berlin 
20007 Hamburg teL 449 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 

- vorab per E-Mail bzw. Fax - D HUNDE 


bATUM 11. Juni 2013 
AKTENZEICHEN IT 1 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden i im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? 


iR 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fálle, in denen Ihr Untemehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind aufterdem sog. ,Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende ,Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


gat - jet 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:34 

An: support-de @google.com; rbremer@google.com 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
perE-Mail 


IT 3 - 17002/9#1 


SehrgeehrterHerrBremer, 
sehrgeehrte Damen undHerren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Gescháftsleitung. 


B 


1102_Google.pdf 


Anlage 


Sige 


image2013-06-11...image2013-06-11,.. 


Herzliche GriiBe 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
TT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norman, Spatschke@brri. bund. de 


s$ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Anhang von [1]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102 Google.pdf 2 Seiten 
2. image2013-06-11-191028.pdf 2 Seiten 
3. image2013-06-11-191245.pdf 2 Seiten 


MAT A BMI-1-11e 12.pdf, Blatt 118 


4R Bundesministerium 
des Innern 


E33 
t 
Re 


Cornelia Rogall-Grothe 


Staatssekretärin 
‚Beauftragte der Bundesregierung 

Bundesministerium des Innern, 11014 Berlin für Informationstechnik 
Google Germany GmbH 
ABC-Strasse 19 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20354 Hamburg TEL +48 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
nachrichtlich EMAIL StRG@bmi.bund.de 
YouTube 
ABC-Strasse 19 DATUM 11. Februar 2014 


20354 Hamburg AKTENZEICHEN IT 3 — 17002/9#1 


- vorab per E-Mail bzw. Fax - 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten ver- 
wiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens mit 
US-Geheimdienstbehórden dementiert. Allenfalls erfolge die Übermittlung von Daten 
im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der Grundlage 
richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklárung móglicher Eingriffe in die Persónlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wáre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 
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Kec 


SETE2VON? Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Youtube ein- 
zubeziehen, das in seiner Stellungnahme auf eine entsprechende Verantwortung der 
Konzernmutter Google verwiesen hat. | 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


gabe - pole 
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Bundesministerium 
| des Innern 


Cornelia Rogall-Grothe - 


Staatssekretärin 
Beauftragte der Bundesregierung 

Bundesministerium des inner, 11014 Born für Informationstechnik 
Google Germany GmbH 
ABC-Straße 19 HAUSANSCHRIFT All-Moabif 101 D, 10559 Berlin 
20354 Hamburg TEL +49 (0)30 18 681-1109 

| Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - a SRGD se 


DATUM 11. Juni 2013 
AKTENZEICHEN IT 1 — 1700071782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den Use im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 
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4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


sytt ~ pelee 
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Bundesministerium 


| des Innern 
Cornelia Rogall-Grothe 
Staatssekretärin 
£ Beauftragte der Bundesregierung 

Eee enue Ves nn, VON Bam u für Informationstechnik 

YouTube 

ABC-Straße 19 - HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 

20354 Hamburg TEL +49 (0)30 18 681-1109 

| Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EmaL SIRG@bmi.bund.de 


Darum 11. Juni 2013 
AKTENZEICHEN IT 1 — 17000/17#2 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM* oder vergleichbare Programme der- 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit.den US- Behörden i im ean EON aS mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 
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IR Bundesministerium 
> f des Innern 


VERBO? — 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests“ Bestandteil der 
Anfragen der US-Sicherheitsbehórden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


en 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:20 

An: ‘empfang1.ger@apple.com' ` 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 


IT 3 - 17002/9#1 
Sehrgeehrte Damen und Herren, 


das beigefügte Schreiben der Staatssekretárin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an Ihre Geschäftsleitung. 


u 


1102, Apple.pdf 


Anlage 


n 


image2013-06-11... 


Herzliche Grüße 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto:Normen. Spatschke@bmi. bund. de 


så Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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. 1. 1102_Apple.pdf | ^ 1 Seiten 
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4R Bundesministerium 
> des Innern 


Cornelia Rogall-Grothe 
Staatssekretarin 
Beauftragte der Bundesregierung 


Bundesministerium des Innem, 11014 Berlin für Informationstechnik 


Apple Deutschland GmbH 
Arnulfstraße 19 | HAUSANSCHRIFT All-Moabit 101 D, 10558 Berlin 
80335 München TEL +49 (0)30 18 681-1109 


l FAx +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Ema StRG()bmi.bund.de 


r 


DATUM 11. Februar 2014 
AKTENZEICHEN IT 3 - 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 
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AR Bundesministerium 
VES B des Innern 


Cornelia Rogall-Grothe 


Staatssekretärin 
T Beauftragte der Bundesregierung 

RE EEE 0 A Dod für Informalionstechnik 
Apple Deutschland GmbH l 
Arnulfstraße 19 | HAUSANSCHRIFT  Alt-Moabit 101 D, 10559 Berlin 
80335 München | Ta +49 (0)30 18 581-1109 

FAX +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Ewa SIRG@bmibund.de 


DATUM 11. Juni 2013 
AKTENZEICHEN IT 1 ~ 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der. Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- Behörden i im Zusammenhang mit dem 
Programm „PRISM“ zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? 
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R Bundesministerium 
des Innern 


SIE EIN? 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
9. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behórden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende ,Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. | 


Für Ihre Zusammenarbeit bei der Aufklárung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


he, kt - 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:17 

An: ‘Gunnar Bender' 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
perE-Mail 


IT 3 - 17002/9#1 


SehrgeehrterHerrBender, 
sehrgeehrte Damen undHerren, 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlage mit der Bitte um Weiterleitung an thre Geschäftsleitung, 


L| 


1102, Facebook. pdf 


Anlage 


[| 


image2013-06-11... 


Herzliche Grüße 
Im Auftrag 
Norman Spatschke 


Bundesministerium des Innern 
IT 3 - IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Normen. Spatschke @bmi, bund. de 
s$ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 


126 





MAT A BMI-1-11e_12.pdf, Blatt 130 


127 


Anhang von [3]Schreiben des Bundesministeriums des 
Innern vom 11. Februar 2014; vorab per E-Mail.msg 


1. 1102_Facebook.pdf 1 Seiten 
2. image2013-06-11-191101.pdf 2 Seiten 


R 


MAT A BMI-1-11e_12.pdf, Blatt 131 


1 Bundesministerium 


des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin 
Beauftragte der Bundesregierung 


Bundesministerium des Innern, 11014 Berlin für Informationstechnik 


Facebook Germany GmbH 
Großer Burstah 50-52 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
20457 Hamburg | TEL +49 (0)30 18 681-1109 
l FAX +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - EMAL StRG@bmi.bund.de 


DATUM 11. Februar 2014 
AKTENZEICHEN JT 3 - 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


io d | 
29978 Job 


( 


V 
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| Bundesministerium 

| des Innern 
Cornelia Rogall-Grothe 
Staatssekrelärin 
Beauftragte der Bundesregierung 

Bundesministerium des innem, 31014 Berin für Informationstechnik 


HAUSANSCHRIFT All-Moabit 101 D, 10559 Berlin 


teL +49 (0)30 18 681-1109 
Fax +49 (0)30 18 681-1135 


- vorab per E-Mail bzw. Fax - Emal SIRG@bmi.bund.de 


DATUM 11. Juni 2013 
AKTENZEICHEN iT 1 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- Beben im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Weiche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stelit? 
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. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 


Nutzer an die US-Behórden? 


. Gab es Fálle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 


scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 


Anfragen der US-Sicherheitsbehórden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


Je 
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FR | Bundesministerium 
; | des Innern 


Cornelia Rogall-Grothe 


Staatssekrelärin 
en Beaufiragte der Bundesregierung 

Bunesmamienum des nem 11014 Beas für Informationstechnik 
Facebook Germany GmbH 
Großer Burstah 50-52 HAUSANSCHRIFT All-Moabit 101 D, 10559 Berlin 
20457 Hamburg x TEL +49 (0)30 18 681-1109 

Fax +48 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Ewa SIRG@bmi.bund.de 


DATUM 11. Juni 2013 
AKTENZEICHEN IT 1 — 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehórden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- ESSI im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur. Verfügung ge- 
stellt? 
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Von: IT3_ 
. Gesendet: Dienstag, 11. Februar 2014 17:12 
An: 'sterlj &yahoo-inc.com' 
Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
per E-Mail 
IT 3 - 17002/S#1 


Sehr geehrte Damen und Herren, 

das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Geschäftsleitung. 


[s 


1102, Yahoo.pdf 
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Herzliche Grüße. 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 

IT 3 - TT-Sicherheit 

Telefon: (030)18 681 2045 

PC-Fax: (030)18 681 59352 

mailto: Norrran. Spatschke@bni, bund. de 


så Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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RR Bundesministerium 
des Innern 


Cornelia Rogall-Grothe 
Staatssekretärin 
Beauftragte der Bundesregierung 


Bundesministerium des Inner, 11014 Berlin für Informationstechnik 


Yahoo! Deutschland GmbH | 
Theresienhöhe 12 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
80339 München mr 449 (0)30 18 681-1109 


l Fax +49 (0)30 18 681-1135 
- vorab per E-Mai! bzw. Fax - l E-MAIL SIRG@bmi.bund.de 


r 


DATUM 11. Februar 2014 
AKTENZEICHEN IT 3 - 17002/9#1 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten 
verwiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens 
mit US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von 
Daten im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der 
Grundlage richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 
Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 
Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. März 2014 zukommen. 


Mit freundlichen Grüßen 


UL ota. aru. m 
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' Bundesministerium 


des Innern 


Cornelia Rogall-Grothe 

Staatssekrefärin 

Beauftragte der Bundesregierung 
Bündesiecierum des Innern; 140 Berin für Informationstechnik 


Yahoo! Deutschland GmbH 


Theresienhóhe 12 HAUSANSCHRIFT All-Moabit 101 D, 10559 Berlin 
80339 München TEL «49 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Ew, StRG@bmi.bund.de 


oATuM 41. Juni 2013 
AKTENZEICHEN IT 1— 17000/17#2 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehórden im Zusammenhang mit dem Überwachungspro- 
gramm „PRISM“ erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder rer Programme der 
US-Sicherheitsbehórden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US- Penorden im Zusammenhang mit dem 
Programm „PRISM“ zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Weiche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? | 
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R Bundesministerium 
des Innern 


SETE AKONG 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
©. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind aufterdem Sog. ,Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehórden. Wurden solche deutsche Nutzer be- 
treffende ,Special Requests" an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


5 
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Von: IT3_ 

Gesendet: Dienstag, 11. Februar 2014 17:09 

An: 'prserv@microsoft.com' 

Cc - ‘prteam @skype.net' 

Betreff: Schreiben des Bundesministeriums des Innern vom 11. Februar 2014; vorab 
perE-Mail 


IT3 - 17002/9#1 


Sehrgeehrte Damen und Herren, 


u 


1102_Microsoft, 
Skype.pdf 


das beigefügte Schreiben der Staatssekretärin im Bundesinnenministerium, Frau Cornelia Rogall-Grothe, 
vom heutigen Tage übersendeich nebst Anlagen mit der Bitte um Weiterleitung an Ihre 
Gescháftsleitung. 


Anlage 


E] e x 


image2013-08-11...image2013-06-11... 


Herzliche GrüBe 

Im Auftrag 

Norman Spatschke 
Bundesministerium des Innern 
IT 3- IT-Sicherheit 

Telefon: (030)18 681 2045 
PC-Fax: (030)18 681 59352 


mailto: Norrran.Spatschke@brni. bund.de 


s^ Helfen Sie Papier zu sparen! Müssen Sie diese E-Mail tatsächlich ausdrucken? 
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Bundesministerium 
des Innern 
Cornelia Rogall-Grothe 
Staatssekretärin 
"E Beauftragte der Bundesregierung 
Bundesministerium des innem, 11014 Berün für | nformationst echnik 
Microsoft Deutschland GmbH 
Konrad-Zuse-Str. 1 l KAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
85716 UnterschleiRheim TEL +49 (0)30 18 681-1109 
"T Fax +49 (0)30 18 681-1135 
nachrichtlich ema StRG@bmi.bund.de 
Skype Deutschland GmbH 
Konrad-Zuse-Str. 1 DATUM 11. Februar 2014 
85716 Unterschleißheim AKTENZEICHEN IT 3 - 17002/9#1 


- vorab per E-Mail bzw. Fax - 


Sehr geehrte Damen und Herren, 


ich komme zurück auf mein Schreiben vom 11. Juni 2013 bezüglich einer Beteiligung 
Ihres Unternehmens an US-Geheimdienstprogrammen und Ihr daraufhin erfolgtes 
Antwortschreiben. 


Sie hatten darin in allgemeiner Form auf bestehende Verschwiegenheitspflichten ver- 
wiesen und im Übrigen eine unmittelbare Zusammenarbeit Ihres Unternehmens mit 
US-Geheimdienstbehörden dementiert. Allenfalls erfolge die Übermittlung von Daten 
im Einzelfall auf der Basis entsprechender Rechtsgrundlagen und auf der Grundlage 
richterlicher Beschlüsse. 


Nachdem US-Justizminister Eric Holder kürzlich die bestehenden Verschwiegen- 
heitspflichten gelockert hat, erlaube ich mir, an die Beantwortung der aufgeworfenen 


Fragen zu erinnern, um die Aufklärung möglicher Eingriffe in die Persönlichkeits- und 


Datenschutzrechte der deutschen und europäischen Bürgerinnen und Bürger, die 
Ihre Angebote nutzen, voranzutreiben. 


Sollten Sie über weitergehende Erkenntnisse und Informationen verfügen, wäre ich 
Ihnen auch für deren Mitteilung dankbar. Mein Ausgangsschreiben vom 11. Juni 
2013 füge ich erneut bei. 











MAT A BMI-1-11e_12.pdf, Blatt 143 


| 139 


£R Bundesministerium 
des Innern 


seme 2VON2 Ich bitte darum, in Ihr Antwortschreiben auch Ihr Tochterunternehmen Skype einzu- 
beziehen, das in seiner Stellungnahme auf eine entsprechende Verantwortung der 
Konzernmutter Microsoft verwiesen hat. 


Bitte lassen Sie mir Ihre Antwort bis zum 7. Márz 2014 zukommen. 


Mit freundlichen Grüßen 


galt t- folme 
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Bundesministerium 


ae des Innern 


Cornelia Rogall-Grothe 


Staatssekretarin 
m" Beauftragte der Bundesregierung 

MR E für Informationstechnik 
Microsoft Deutschland GmbH 
Konrad-Zuse-Str. 1 HAUSANSCHRIFT Alt-Moabit 101 D, 10559 Berlin 
85716 Unterschleißheim TEL +48 (0)30 18 681-1109 

Fax +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - i Ema SIRG@bmibund.de 


pAruM 11. Juni 2013 
AKTENZEICHEN IT 1 - 170001782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persónlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- . 
lungen und mógliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm “PRISM” oder vergleichbare Programme der 
US-Sicherheitsbehórden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behórden im Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behórden zur Verfügung ge- 
stellt? 
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ike Bundesministerium 
4 des Innern 


SEME2VON2 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behörden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehörden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 


Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


° | Beate [otn 
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R Bundesministerium 
d. des Innern 


Cornelia Rogall-Grothe 


Slaatssekretarin 
"m Beauftragte der Bundesregierung 

Bundesministerium des Innern, 11014 Berin für Informationstechnik 
Skype Deutschland GmbH 
Konrad-Zuse-Str. 1 HAUSANSCHRIFT  Alt-Moabit 101 D, 10559 Berlin 
85716 Unterschleißheim T. +49 (0)30 18 681-1109 

FAX +49 (0)30 18 681-1135 
- vorab per E-Mail bzw. Fax - Emmi SIRGO)bmi.bund de 


DATUM 11. Junt 2013 
AKTENZEICHEN IT 1 = 17000/1782 


Sehr geehrte Damen und Herren, 


laut jüngsten Presseberichten sollen umfangreich Telekommunikationsdaten und 
personenbezogene Daten von deutschen Nutzern der Angebote Ihres Unternehmens 
von den US-Sicherheitsbehörden im Zusammenhang mit dem Überwachungspro- 
gramm ,PRISM" erfasst worden sein. Sollten diese Presseberichte zutreffend sein, 
sieht die Bundesregierung erhebliche Gefahren für die Persönlichkeits- und Daten- 
schutzrechte der deutschen Bürgerinnen und Bürger, die Ihre Angebote nutzen. 


Die Bundesregierung prüft derzeit die in den Medienberichten enthaltenen Darstel- 
lungen und mögliche Auswirkungen für die Rechte der deutschen Nutzer. In diesem 
Zusammenhang bitte ich Sie um umfassende Auskunft über die Einbindung Ihres 
Unternehmens in das Programm "PRISM" oder vergleichbare Programme der 
US-Sicherheitsbehörden. 


Dabei bitte ich insbesondere um Beantwortung der folgenden Fragen: 


1. Arbeitet Ihr Unternehmen mit den US-Behörden i im n Zusammenhang mit dem 
Programm ,PRISM" zusammen? 


2. Sind im Rahmen dieser Zusammenarbeit auch Daten deutscher Nutzer betrof- 
fen? 


3. Welche Kategorien von Daten werden den US-Behörden zur Verfügung ge- 
stellt? | 
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FR Bundesministerium 
T* E des Innern 





SEN? — 4. In welcher Jurisdiktion befinden sich die dabei involvierten Server? 
5. In welcher Form erfolgt die Übermittlung der Daten an die US-Behórden? 


6. Auf welcher Rechtsgrundlage erfolgt die Übermittlung der Daten deutscher 
Nutzer an die US-Behörden? 


7. Gab es Fälle, in denen Ihr Unternehmen die Übermittlung von Daten deut- 
‚scher Nutzer abgelehnt hat? Bejahendenfalls aus welchen Gründen? 


8. Laut Medienberichten sind außerdem sog. „Special Requests" Bestandteil der 
Anfragen der US-Sicherheitsbehórden. Wurden solche deutsche Nutzer be- 
treffende „Special Requests“ an Ihr Unternehmen gerichtet und - bejahenden- 
falls - was war deren Gegenstand? 





Für die Beantwortung meiner Fragen bis Freitag, 14. Juni 2013 bin ich Ihnen verbun- 
den. 


Für Ihre Zusammenarbeit bei der Aufklärung des in den Medien dargestellten Sach- 
verhalts danke ich Ihnen. 


Mit freundlichen Grüßen 


143 


MAT A BMI-1-11e_12.pdf, Blatt 148 


144 


Dokument 2014/0088572 
Von: Dürig, Markus, Dr. 
Gesendet: Mittwoch, 19. Februar 2014 13:51 
An: Meißner, Alexander; Treib, Heinz Jürgen; RegIT3 
Cc: Mantz, Rainer, Dr. 


Betreff: WG: NIST-Framework 


Lieber Herr Treib, 
bitte Kurzauswertung. 
Lieber Herr Meissner, 
„Honig“ für das IT-SiG? 
BG MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 


Von: Strahl, Claudia 

Gesendet: Donnerstag, 13. Februar 2014 16:39 
An: Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Betreff: WG: NIST-Framework 


Eingang Postfach IT3 zur Kenntnis bzw. zur weiteren Verwendung 


Strahl 


Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 13. Februar 2014 16:25 

An: IT3_ 

Cc: Stöber, Karlheinz, Dr.; Klee, Kristina, Dr.; FTU: Jens; Schallbruch, Martin; BSI grp: GPReferat B 
24; Vorzimmerpvp 

Betreff: NIST-Framework 


Liebe Kollegen, 
anbei übersendeich Ihnen einen Kurzbericht zum gestern veróffentlichten Cybersecurity Framework. 


Beste Grüße 
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Michael Vogel 





EL le. 


VB BMI DHS Anlage Anlage 1 cybers... Anlage 3 Fed-C... 
56 NIST-Framew,..2 roadmap-0212... l 
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Anhang von Dokument 2014-0088572.msg 


1. VB BMI DHS 56 NIST-Framework.docx 3 Seiten 
2. Anlage 2 roadmap-021214.pdf 9 Seiten 
3. Anlage 1 cybersecurity-framework-021214-final.pdf 41 Seiten 


4. Anlage 3 Fed-Cyber-Report-Feb-4-2014.pdf 19 Seiten 
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VB BMI DHS | 12.02.2014 
Cybersecurity in den USA 


Zusammenfassung 
NIST-„Cybersecurity Framework” 


NIST hat seinsog. „Cybersecurity Framework“ (CF) vorgestellt. 
Nach summarischer Durchsicht scheint es sich nicht grundsätzlich von dem 2013 
zur Diskussion gestellten Entwurf zu unterscheiden. 
Das CF ist weiterhin als freiwillige Handreichung zur kritischen Selbstprüfung von 
Unternehmen und „lebendiges Dokument“ konzipiert. 
Herzstück bleibt die Darstellung der verschiedensten in der Wirtschaft gebräuchli- 
chen Standards und Best Practices mit folgenden fünf Kembereichen: 
e kentify — identifikation der zu schützenden Systeme etc. 
Protect CAbsicherungen um KRITIS-relevante Dienstleistungen zu sichem 
Detect — Erkennung von Cyber-Sicherheitszwischenfállen 


Respond —Verfahren zur Abwehr derartiger Zwischenfallen 

Recover —Verfahren, um Schäden/Beeinträchtigungen, die durch solche Zwi- 

schenfálle verursacht wurden, wieder zu beheben. 
Der bisher einzige Unterschied zum 2013-Entwurf besteht in der Streichung des 
Datenschutzteils. Nunmehr enthält das CF nur noch allgemein gehaltene Ausfüh- 
rungen zum Datenschutz, die potenzielle Anwender sensibilisieren sollen. 


Cybersicherheit innerhalb der US-Behórden 


e Ein Bericht von Senator Cobum (R-OK) über den Stand der Absicherung der IT- 
Systeme der US-Bundesregierung zeigt, das z. T. erstaunlich mangelhafte 
Schutzniveau in Ministerien und Behörden, die für KRITIS-Schutz zuständig sind. 

e Aufgrund ungenügender Sicherheitsvorkehrungen (kein Update- oder Patch- 
Management, keine oder veraltete Virenschutzprogramme etc.) seien sensible Da- 
ten ungeschützt gewesen, abgeflossen und Cyberangriffe erleichtert worden. 


l. NIST-„Cybersecurity Framework” 


Das NIST hat heute das sog. „Cybersecurity Framework” (CF) veröffentlicht (s. Anlage 
1). Nach summarischer Durchsicht scheint es sich nicht grundsätzlich. von dem 2013 zur 
Diskussion gestellten Entwurf zu unterscheiden (s. hierzu Bericht vom 04.09.2013). 


Insbesondere findet sich das Herzstück des CF wieder, d. h. die in fünf Kembereiche 
untergliederte Darstellung der verschiedensten in der Wirtschaft gebräuchlichen Stan- 
dards und Best Practices ("Identify", "Protect", "Prevent", "Respond" und “Recover ): 
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e Identify — Identifikation der zu schützenden Systeme, Daten, Fähigkeiten etc. — 
Priorisierung im Einklang mit den Untemehmensaufgaben - Festlegung eines 
entsprechenden Umsetzungsprozesses 

e Protect — Entwicklung und Implementierung von Absicherungen um die Erbrin- 
gung von KRITIS-relevanten Dienstleistungen zu sichern. 

e Detect- Entwicklung und Implementierung von Verfahren zur Erkennung von 
Cyber-Sicherheitszwischenfällen 

« Respond- Entwicklung und Implementierung von Verfahren um derartigen Zwi- 


schenfällen zu begegnen. 
e Recover - Entwicklung und Implementierung von Verfahren, um Scháder/ Be- 
eintráchtigungen, die durch Zwischenfälle verursacht wurden, wieder zu beheben. 


Es werden weiterhin keine neuen Standards geschaffen, sondem nur bestehende zu- 
sammengefasst, ohne KRITIS-Betreiber zu deren Übemahme zu verpflichten.. 


Ebenso enthält das CF eine Methodologie, mit deren Hilfe Unternehmen sehen können, 
inwieweit sie die dort enthaltenen Standards schon erfüllen. 


Der einzige wirkliche Unterschied zu dem bislang veróffentlichten Entwurf besteht in der 
Streichung des Datenschutzteils. Stattdessen enthált das CF unter Ziffer 3.5 wie bereits 
im Bericht vom 31.01.2014 angekündigt allgemein gehaltene Ausführungen zum Daten- 
schutz, die potenzielle Anwender des CF für die datenschutzrechtlichen Implikationen 
ihres Handelns sensibilisieren sollen. 


Wie Gespräche von VP BSI in der vergangenen Woche mit Think Tank-Vertretern und 
den Schlüssel-Staffern des Senatsausschusses für Homeland Security gezeigt haben, 
gehen die hiesigen Experten davon aus, dass das CF zwar keine unmittelbare Bin- 
dungswirkung erzeugt, allerdings wohl den Sorgfaltsmaßstab in Haftungsprozessen 
mehr als nur unerheblich definieren wird und so indirekt zu einer Bindungswirkung führt. 
Sollte es darüber hinaus gelingen, wirkungsvolle Anreize (staatliche Beihilfen, bevorzug- 
ter Zugriff auf Risikoanalysen etc.) für die Übernahme von CF-Standards zu schaffen, 
kónnte dies weiteren Druck auf die Wirtschaft ausüben. Insofern kónnte sich das CF als 
intelligente Antwort auf den derzeitigen Gesetzgebungs-Patt erweisen und zumindest 
den IT-Grundschutz in der Privatwirtschaft in der Breite verstärken. 


Schließlich enthält das CF noch eine sog. Roadmap, die wichtigsten Bereiche der künf- 
tigen Entwicklung, Ausrichtung und Zusammenarbeit im Zusammenhang mit dem CF 
(Anlage 2). Das CF soll demnach u. a. in folgenden Bereichen fortentwickelt werden: 


Authentifizierung; automatisierter Austausch von Indikatoren zu Cyberzwischenfállen; 
Cybersecurity Fachkráfte (Ausbildung, Gewinnung); Data Analytics; Intemationale Be- 
züge; Supply Chain Risk Management; Technische Datenschutzstandards. 
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Il. Cybersicherheit innerhalb der US-Behórden 


Kurz vor Veróffentlichung des CF hat Senator Cobum (R-OK), Mitglied des Senatsaus- 
schusses für Homeland Security, einen Bericht über den Stand der Absicherung der IT- 
Systeme von Behörden, die für den Schutz von KRITIS zuständig sind, veröffentlicht 
(„Ihe Federal Govemment's Track Record on Cybersecurity and Critical Infrastructure "; 
s. Anlage 3). - 


Auf Grundlage öffentlich bekannt gewordener Cyberzwischenfälle bzw. nicht eingestuf- 
ter Prüfberichte der Innenrevision (Inspector General) verschiedener Behörden stellt 
Coburn erstaunliche Mängel beim IT-Grundschutz fest. Selbst hochsensiblen Stelen wie 
der Börsenaufsicht, Bundessteuerbehörde dem Energieministerium oder gar der IT- 
Abteilung des DHS (NPPD) wurden gravierende Mängel im IT-Grundschutz attestiert. 
Untersucht wurden folgende Behörden | 


e Department of Homeland Security 

e The Nuclear Regulatory Commission 
e Internal Revenue Service 

e Department of Education 

e Department of Energy 

e Securities and Exchange Commission 


Dort wurden u. a. folgende Versáumnisse festgestellt: 


e Keinoder sehr mangelhaftes Update- bzw. Patch-Management 

e Unzureichende Passwortsicherheit in sensiblen Bereichen (Nutzung voreinge- 
stellter, leicht auszurechnender [z. B. ,qwertz'] oder stark veralteter Passwörter 
[älter als 90 Tage]) | 

ə Veraltete oder gar keine Antivirus Software 

e Speicherung sensibler Daten auf offenen Laufwerken/Datenbanken (z. B. Details 
über die Cybersicherheit von Kernkraftwerken oder áhnlichen Anlagen; Schwach- 
stellenanalyse zum Einbrechen in die Systeme der Bórsen) 


Angesichts dieser Versáumnisse kommt Cobum zum Schluss, dass es zwar berechtigt 
sei, von KRITIS-Betreibern hohe Schutzstandards zu fordern. Vielfach trügen aber letzt- 
lich gerade Schwachstellen in Schlüsselstellen von Schlüsselbehórden der US- 
Regierung zur Gefáhrdung von KRITIS bei. 


Dr. Vogel 
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NIST Roadmap for Improving Critical Infrastructure Cybersecurity 
February 12, 2014 


1. Introduction 


This companion Roadmap to the Framework for Improving Critical Infrastructure 
Cybersecurity (“the Framework”) discusses NIST’s next steps with the Framework 
and identifies key areas of development, alignment, and collaboration. These plans 
are based on input and feedback received from stakeholders through the 
Framework development process particularly on the "Areas for Improvement" 
section ofthe Preliminary Framework, which has been moved to this document. 


2. Evolution of the Cybersecurity Framework 


Since Executive Order 13636 was issued, NIST has played a convening role in 
developing the Framework, drawing heavily on standards, guidelines, and best 
practices already available to address key cybersecurity needs. NIST also relied on 
organizations and individuals with experience in reducing cybersecurity risk and 
managing critical infrastructure. 


Moving forward, NIST is committed to help organizations understand and use the 
Framework. Organizations that are part of the critical infrastructure can use the 
Framework to better manage and reduce its cybersecurity risks. 


Not all critical infrastructure organizations have a mature program and the technical 
expertise in place to identify, assess, and reduce cybersecurity risk. Many have not 
had the resources to keep up with the latest cybersecurity advances and challenges 
as they balance risks to their organizations. NIST intends to conduct a variety of 
activities to help organizations to use the Framework. For example, industry groups, 
associations, and non-profits can be key vehicles for strengthening awareness of the 
Framework. NIST will encourage these organizations to become even more actively 
engaged in cybersecurity issues, and to promote - and assist in the use of - the 
Framework as a basic, flexible, and adaptable tool for managing and reducing 
cybersecurity risks. NIST will build on existing relationships and expand its 
outreach in these areas, in partnership with the Department of Homeland Security's 
(DHS) Voluntary Program. 


The Framework was intended to be a "living document,” stating that it “will 
continue to be updated and improved as industry provides feedback on 
implementation. As the Framework is put into practice, lessons learned will be 
integrated into future versions. This will ensure it is meeting the needs of critical 
infrastructure owners and operators in a dynamic and challenging environment of 
new threats, risks, and solutions." 


NIST will continue to serve in the capacity of "convener and coordinator" at least 
through version 2.0 of the Framework. This will ensure that the Framework 
advances steadily and addresses key areas that need further development. 
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In the interest of continuous improvement, NIST will receive and consider 
comments about the Framework informally until it issues a formal notice ofrevision 
to version 1.0. At that point, NIST will specify a focus for comments and specific 
deadlines that will allow it to develop and publish proposed revisions in a timely 
and transparent fashion. 


NIST intends to hold at least one workshop within six months after the Framework's 
issuance to provide a forum for stakeholders to share experiences in using the 
Framework. NIST will also hold one or more workshops and focused meetings on 
specific Areas for Development, Alignment, and Collaboration. 


3. Strengthening Private Sector Involvement in Future Governance of the 
Framework 


Even as NIST continues to support and improve the Framework, it will solicit input 
on options for long-term governance of the Framework including transitioning 
responsibility for the Framework to a non-government organization. Any transition 
must minimize or prevent potential disruption for organizations that are using the 
Framework. 


The ideal transition partner (or partners) would have the capacity to work closely 
and effectively with international organizations, in light of the importance of 
aligning cybersecurity standards, guidelines, and practices within the United States 
and globally. Transitioning to such a partner - along with NIST's continued support - 
. would help to ensure that cybersecurity-related standards and approaches taken by 
the Framework avoid creating additional burdens on multinational organizations 
wanting to implement them. 


4. Areas for Development, Alignment, and Collaboration 


Executive Order 13636 states that the cybersecurity Framework will "identify areas 
for improvement that should be addressed through future collaboration with 
particular sectors and standards-developing organizations." Several high-priority 
areas for development, alignment, and collaboration are listed below based on 
stakeholder input and are described in the subsections below. 


This list of high-priority areas is not intended to be exhaustive. These are important 
areas identified by stakeholders that should inform future versions ofthe 
Framework. They require continued focus; they are important but evolving areas 
that have yet to be developed or need further research and understanding. While 
tools, methodologies, and standards exist for some ofthe areas, they need to become 
more mature, available, and widely adopted. To be effective in addressing these 
areas, NIST will work with stakeholders to identify primary challenges, solicit input 
to address those identified needs, and collaboratively develop and execute action 
plans for addressing them. 


Many ofthese areas also reflect needed capabilities in the Framework Core. As 
progress is made in each of these areas, they can be immediately used in 
conjunction with the Framework to enhance or improve existing cybersecurity 
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programs. Progress in these areas also becomes candidate improvements to the 
Framework. 


4.1. Authentication 


Poor authentication mechanisms are a commonly exploited vector of attack by 
adversaries; the 2013 Data Breach Investigations Report (conducted by Verizon in 
concert with the U.S. Department of Homeland Security) noted that 76% of 2012 
network intrusions exploited weak or stolen credentials. Multi-Factor 
Authentication (MFA) can assist in closing these attack vectors by requiring 
individuals to augment passwords ("something you know") with "something you 
have," such as a token, or "something you are," such as a biometric. 


While new authentication solutions continue to emerge, there is only a partial 
framework of standards to promote security and interoperability. The usability of 
authentication approaches remains a significant challenge for many control systems, 
as many existing authentication tools are for standard computing platforms. 
Moreover, many solutions are geared only toward identification of individuals; 
there are fewer standards-based approaches for automated device authentication. 


The inadequacy of passwords for authentication was a key driver behind the 2011 : 
issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), 
which calls upon the private sector to collaborate on development of an Identity 
Ecosystem that raises the level of trust associated with the identities of individuals, 
organizations, networks, services, and devices online. NSTIC is focused on consumer 
use cases, but the standards and policies that emerge from the privately-led Identity 
Ecosystem Steering Group (IDESG) established to support the NSTIC - as well as 
new authentication solutions that emerge from NSTIC pilots - can inform advances 
in authentication for critical infrastructure as well. 


NIST will focus on three areas: 


e Continue to support the development of better identity and authentication 
solutions through NSTIC pilots, as well as an active partnership with the 
IDESG; 

e Support and participate in identity and authentication standards activities, 
seeking to advance a more complete set of standards to promote security and 
interoperability; this will include standards development work to address 
gaps that may emerge from new approaches in the NSTIC pilots. 

e Conduct identity and authentication research complemented by the 
production of NIST Special Publications that support improved 
authentication practices. 


4.2. Automated Indicator Sharing 


The automated sharing of indicator information can provide organizations with 
timely, actionable information that they can use to detect and respond to 
Cybersecurity events as they are occurring. Sharing indicators based on information 
that is discovered prior to and during incident response activities enables other 
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organizations to deploy measures to detect, mitigate, and possibly prevent attacks 
as they occur. Organizations tend to share a subset of indicator data to avoid 
exposing the organization to further risks. This information is shared through 
various channels including: information sharing communities (e.g., sector-specific 
ISACs, consortiums), peer-to-peer sharing with selected partners, and exchanges 
with security service providers. Receiving such indicators allows security 
automation technologies a better chance to detect past attacks, mitigate and 
remediate known vulnerabilities, identify compromised systems, and support the 
detection and mitigation of future attacks. 


Organizations use a combination of standard and proprietary mechanisms to 
exchange indicators that can be used to bolster defenses and to support early 
detection of future attack attempts. These mechanisms have differing strengths and 
weaknesses and often require organizations to maintain specific process, personnel, 
and technical capabilities. Groups of highly capable organizations commonly form 
communities to share useful indicator data. Established communities tend to grow 
through addition of newer members with lower capability. To make these 
communities more effective, appropriate standards need to be defined and then 
adopted in products to enable organizations of various levels of capability and size 
to make use of indicators and other related shared information. 


NIST will work together with private and public sector organizations to promote a 
global competitive marketplace of interoperable solutions that enable both small 
and large organizations to take advantage of indicator sharing. NIST will work with: 


e Private sector standards owners, consortia and others in industry-led, 
consensus-driven international standards organizations to fill current 
standards gaps based on well-defined use cases and requirements. 

e Private and public sector stakeholders to ensure that adequate 
implementation and common practice guidance is available regarding the 
generation, use, and sharing of indicator data. 


4.3. Conformity Assessment 


Conformity assessment can be used to show that a product, service, or system meets 
specified requirements for managing cybersecurity risk. The output of conformity 
assessment activities could be used to enhance an organization's understanding of 
its implementation of a Framework profile. Successful conformity assessment 
provides the needed level of confidence, is efficient, and has a sustainable and 
scalable business case. Critical infrastructure's evolving implementation of 
Framework profiles should drive the identification of private sector conformity 
assessment activities that address the confidence and information needs of 
stakeholders. 


NIST will help ensure that private and public sector conformity assessment needs 
are met by leveraging existing conformity assessment programs and other activities 
that produce evidence of conformity. This reduces the resource burden on the 
private sector. NIST will work with: 
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e Private sector standards owners, consortia and others who manage 
conformity assessment programs to help all stakeholders understand how 
these programs can be further leveraged by those who have the need for 
conformity demonstration; and 


* Private and public sector entities that have a need for conformity 
demonstration, to help understand how these organizations can leverage 
existing programs. 


4.4. Cybersecurity Workforce 


A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs 
of critical infrastructure. There is a well-documented shortage of general 
Cybersecurity experts; however, there is a greater shortage of qualified 
cybersecurity experts who also have an understanding of the unique challenges 
posed to particular parts of critical infrastructure. As the cybersecurity threat and 
technology environment evolves, the cybersecurity workforce must continue to 
adapt to design, develop, implement, maintain and continuously improve the 
necessary cybersecurity practices within critical infrastructure environments. 


Various efforts, including the National Initiative for Cybersecurity Education (NICE), 
are currently fostering the training of a cybersecurity workforce for the future, 
establishing an operational, sustainable and continually improving cybersecurity 
education program to provide a pipeline of skilled workers for the private sector 
and government. Organizations must understand their current and future 
Cybersecurity workforce needs, and develop hiring, acquisition, and training 
resources to raise the level of technical competence of those who build, operate, and 
defend systems delivering critical infrastructure services. 


NIST will continue to promote existing and future cybersecurity workforce 
development activities (including NICE), including coordinating with other 
government agencies, such as DHS. NIST and its partners will also continue to 
increase engagement with academia to expand and fill the cybersecurity workforce 
pipeline. 


Future NIST activities may include: 


e Extending and integrating NICE activities across critical infrastructure (CI) 
sectors to raise cybersecurity awareness; 

e Identifying and supporting foundational research opportunities in areas 
including cybersecurity awareness, training, and education, and security 
usability; l 

e Understanding CI cybersecurity workforce needs; and | 

e Issuing guidelines, tools, and other resources to develop, customize and 
deliver cybersecurity awareness, training, and education materials. 


4.5. Data Analytics 


Big data and the associated analytic tools coupled with the emergence of cloud, 
mobile, and social computing offer opportunities to process and analyze structured 
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and unstructured cybersecurity-relevant data. Issues such as situational awareness 
of complex networks and large-scale infrastructures can be addressed. The analysis 
of complex behaviors in these large scale-systems can also address issues of 
provenance, attribution, and discernment of attack patterns. 


Several significant challenges must be overcome for the extraordinary potential of 
analytics to be realized, including the lack of: taxonomies of big data; mathematical 
and measurement foundations; analytic tools; measurement of integrity oftools; 
and correlation and causation. More importantly, the privacy implications in the use 
ofthese analytic tools must be addressed for legal and public confidence reasons. 


Future NIST activities may include: 


e Benchmarking and measurement of some of the fundamental scientific 
elements of big data (algorithms, machine learning, topology, graph theory, 
etc.) through means such as research, community evaluations, datasets, and 
challenge problems; 

e Support and participation in big data standards activities such as 
international standards bodies and production of community reference 
architectures and roadmaps; and 

e Production of NIST Special Publications on the secure application of big data 
analytic techniques in such areas as access control, continuous monitoring, 
attack warning and indicators, and security automation. 


4.6. Federal Agency Cybersecurity Alignment 


The Federa! Information Security Management Act (FISMA) requires federal 
agencies to implement agency-wide programs to provide information security for 
the information and information systems that support the operations and assets of 
the agency, including those provided or managed by another agency, contractor, or 
other source. FISMA directed NIST to develop a suite of standards and guidelines 
which, when integrated, provide a Risk Management Framework to help agencies 
effectively identify, assess, and mitigate risk to agency operations, assets, and 
individuals. 


While developed for federal agency use, these standards and guidelines are 
frequently voluntarily used by non-federal organizations because of the flexible, 
risk-based, and cost-effective approach they offer. Specific federal standards and 
guidelines - often cited by non-Federal participants during development of the 
Cybersecurity Framework as resources they found useful in managing cybersecurity 
risk - were included as informative references in the Framework Core. 


The Cybersecurity Framework and the NIST Risk Management Framework both 
seek to achieve the same objective - improved management of cybersecurity risk. It 
is important that any effort to apply the Cybersecurity Framework across the 
Federal government complement and enhance rather than duplicate or conflict with 
existing statute, executive direction, policy, and standards. It should also seek to 
minimize the burden placed upon implementing departments and agencies by 
building from existing evaluation and reporting regimes, and encourage common 
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and comparable evaluation of cybersecurity posture across federal departments and 
agencies, given diverse requirements and risk environments. 


NIST, working with our interagency partners, will: 


e Identify areas of alignment between existing Federal Information Processing 
Standards (FIPS), guidelines, frameworks, and other programs (e.g. - 
Continuous Diagnostics and Mitigation) and the Cybersecurity Framework; 

e Identify and prioritize gaps where additional guidance may improve an 
agency's ability to manage cybersecurity risk, and demonstrate greater 
alignment with the Cybersecurity Framework; and 

e - Leverage the Cybersecurity Framework to elevate the use and amplify the 
effectiveness of new and emerging Federal standards, guidelines, and 
programs. 


4.7. International Aspects, Impacts, and Alignment 


Globalization and advances in technology have driven unprecedented increases in 
innovation, competitiveness, and economic growth. Critical infrastructure has 
become dependent on these enabling technologies for increased efficiency and new 
capabilities. Many governments are proposing and enacting strategies, policies, 
laws, and regulations covering information technology for critical infrastructure as a 
result. Because many organizations and most sectors operate globally or rely on the 
interconnectedness of the global digital infrastructure, these requirements are 
affecting, or may affect, how organizations operate, conduct business, and develop 
new products and services. Diverse or specialized requirements can impede 
interoperability, result in duplication, harm cybersecurity, and hinder innovation. In 
turn, this can significantly reduce the availability and use of innovative technologies 
to critical infrastructures in all industries and hamper the ability of organizations to 
operate globally and to effectively manage new and evolving risks. 


Because the Framework references globally accepted standards, guidelines and 
practice, organizations domiciled inside and outside of the United States can use the 
Framework to efficiently operate globally and manage new and evolving risks. 
Conversely, broad use of the Framework will serve as a model approach to 
strengthening the critical infrastructure, while discouraging a balkanization caused 
from unique requirements that hamper interoperability and innovation, and limit 
the efficient and effective use of resources. 


NIST will continue to communicate the intent and approach of the cybersecurity 
Framework to the international community by: _ 


e Engaging foreign governments and entities directly to explain the 
Framework and seek alignment of approaches when possible; 

e Coordinating with federal agency partners to ensure full awareness with 
their stakeholder community; 

e Working with industry stakeholders to support their international 
engagement; and 
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e Exchanging information and working with standards developing 
organizations, industry, and sectors to ensure the Cybersecurity 
Framework remains aligned and compatible with existing and developing 
standards and practices. 


4.8. Supply Chain Risk Management 


Supply chains consist of organizations that design, produce, source, and deliver 
products and services. All organizations are part of, and dependent upon, product 
and service supply chains. Supply chain risk is an essential part ofthe risk landscape 
that should be included in organizational risk management programs. Although 
many organizations have robust internal risk management processes, supply chain 
criticality and dependency analysis, collaboration, information sharing, and trust 
mechanisms remain a challenge. Organizations can struggle to identify their risks 
and prioritize their actions—leaving the weakest links susceptible to penetration 
and disruption. Supply chain risk management, especially product and service 
integrity, is an emerging discipline characterized by diverse perspectives, disparate 
bodies of knowledge, and fragmented standards and best practices. 


Increasing adoption of supply chain risk management standards, practices and 
guidelines requires greater awareness and understanding ofthe risks associated 
with the time-sensitive interdependencies throughout the supply chain, including in 
and between critical infrastructure sectors/subsectors. This understanding is vital 
to enable organizations to assess their risk, prioritize, and allow for timely 
mitigation. 


NIST's activities will focus on engaging stakeholders to: 


e Encourage broad industry engagement and leadership in supply chain 
risk management discussions and activities; 

e Promote the mapping of existing supply chain risk management 
standards, practices and guidelines to the Framework Core; 

* Identify challenges in Framework adoption and determine appropriate 
support to enable effective supply chain risk management; and 

e Determine the key challenges to supply chain risk management (e.g. 
identifying and understanding mission critical functions, their 
dependencies, and conducting and validating prioritization) to enable 
more effective Framework implementation. 


4.9. Technical Privacy Standards 


A key challenge for privacy has been the difficulty in reaching consensus on- 
definition and scope management, given its nature of being context-dependent and 
relatively subjective. The Fair Information Practice Principles (FIPPs), - developed 
in the early stages of computerization and data aggregation to address the handling 
of individuals' personal information - have become foundational in the current 
conception of privacy. They have been used as a basis for a number of laws and 
regulations, as well as various sets of privacy principles and frameworks around the 
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world. The FIPPs, however, are a process-oriented set of principles for handling 
personal information. They do not purport to define privacy in a way that has 
enabled the development of a risk management model nor do they provide specific 
technical standards or best practices that can guide organizations in implementing 
consistent processes to avoid violating the privacy of individuals. 


The lack of risk management model, standards, and supporting privacy metrics, 
makes it difficult to assess the effectiveness of an organization's privacy protection 
methods. Furthermore, organizational policies are often designed to address 
business risks that arise out of privacy violations, such as reputation or liability 
risks, rather than focusing on minimizing the risk of harm at an individual or 
societal level. Although research is being conducted in the public and private sectors 
to improve current privacy practices, many gaps remain. In particular, there are few 
identifiable technical standards or best practices to mitigate the impact of 
cybersecurity activities on individuals’ privacy or civil liberties. 


To address these gaps and challenges, NIST will first host a privacy workshop in the 
second quarter of 2014. The workshop will focus on the advancement of privacy 
engineering as a foundation for the identification of technical standards and best 
practices that could be developed to mitigate the impact of cybersecurity activities 
on individuals' privacy or civil liberties. Modeled after security engineering, privacy 
engineering may call for the development of a privacy risk management model, 
privacy requirements and system design and development. Future NIST activities 
will build upon the outcomes of the workshop, and NIST will work with private and 
public sector entities to support improvements in the protection of individuals' 
privacy and civil liberties while securing critical infrastructure. 
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Executive Summary 


The national and economic security of the United States depends on the reliable functioning of 
critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of 
critical infrastructure systems, placing the Nation's security, economy, and public safety and 
health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company's 
bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to 
innovate and to gain and maintain customers. 


To better address these risks, the President issued Executive Order 13636, “Improving Critical 
Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of 
the United States to enhance the security and resilience of the Nation's critical infrastructure and 
to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity 
while promoting safety, security, business confidentiality, privacy, and civil liberties." In 
enacting this policy, the Executive Order calls for the development of a voluntary risk-based 
Cybersecurity Framework — a set of industry standards and best practices to help organizations 
manage cybersecurity risks. The resulting Framework, created through collaboration between 
government and the private sector, uses a common language to address and manage 
cybersecurity risk in a cost-effective way based on business needs without placing additional 
regulatory requirements on businesses. 


The Framework focuses on using business drivers to guide cybersecurity activities and 
considering cybersecurity risks as part of the organization's risk management processes. The 
Framework consists of three parts: the Framework Core, the Framework Profile, and the 
Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, 
outcomes, and informative references that are common across critical infrastructure sectors, 
providing the detailed guidance for developing individual organizational Profiles. Through use of 
the Profiles, the Framework will help the organization align its cybersecurity activities with its 

. business requirements, risk tolerances, and resources. The Tiers provide a mechanism for 
organizations to view and understand the characteristics of their approach to managing 
cybersecurity risk. 


The Executive Order also requires that the Framework include a methodology to protect 
individual privacy and civil liberties when critical infrastructure organizations conduct 
cybersecurity activities. While processes and existing needs will differ, the Framework can assist 
organizations in incorporating privacy and civil liberties as pan of a comprehensive 
cybersecurity program. 


The Framework enables organizations — regardless of size, degree of cybersecurity risk, or 
cybersecurity sophistication — to apply the principles and best practices of risk management to 
improving the security and resilience of critical infrastructure. The Framework provides 
organization and structure to today’s multiple approaches to cybersecurity by assembling 
standards, guidelines, and practices that are working effectively in industry today, Moreover, 
because it references globally recognized standards for cybersecurity, the Framework can also be 
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used by organizations located outside the United States and can serve as a model for 
international cooperation on strengthening critical infrastructure cybersecurity. 


The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical 
infrastructure. Organizations will continue to have unique risks — different threats, different 
vulnerabilities, different risk tolerances — and how they implement the practices in the 
Framework will vary. Organizations can determine activities that are important to critical service 
delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, 
the Framework is aimed at reducing and better managing cybersecurity risks. 


The Framework is a living document and will continue to be updated and improved as industry 
provides feedback on implementation. As the Framework is put into practice, lessons learned 
will be integrated into future versions. This will ensure it is meeting the needs of critical 
infrastructure owners and operators in a dynamic and challenging environment of new threats, 
risks, and solutions. 


Use of this voluntary Framework is the next step to improve thé cybersecurity of our Nation's 
critical infrastructure — providing guidance for individual organizations, while increasing the 
cybersecurity posture of the Nation's critical infrastructure as a whole. 
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1.0 Framework Introduction 


The national and economic security of the United States depends on the reliable functioning of 
critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued 
Executive Order 13636 (EO), "Improving Critical Infrastructure Cybersecurity," on February 12, 
2013.! This Executive Order calls for the development of a voluntary Cybersecurity Framework 
(“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost- 
effective approach" to manage cybersecurity risk for those processes, information, and systems 
directly involved in the delivery of critical infrastructure services. The Framework, developed in 
collaboration with industry, provides guidance to an organization on managing cybersecurity 
risk. 


Critical infrastructure is defined in the EO as "systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of such systems and assets would have 
a debilitating impact on security, national economic security, national public health or safety, or 
any combination of those matters." Due to the increasing pressures from external and internal 
threats, organizations responsible for critical infrastructure need to have a consistent and iterative 
approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary 
regardless of an organization's size, threat exposure, or cybersecurity sophistication today. 


The critical infrastructure community includes public and private owners and operators, and 
other entities with a role in securing the Nation's infrastructure. Members of each critical 
infrastructure sector perform functions that are supported by information technology (IT) and 
industrial control systems (ICS).? This reliance on technology, communication, and the 
interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and 
increased potential risk to operations. For example, as ICS and the data produced in ICS 
operations are increasingly used to deliver critical services and support business decisions, the 
potential impacts of a cybersecurity incident on an organization's business, assets, health and 
safety of individuals, and the environment should be considered. To manage cybersecurity risks, 
a clear understanding of the organization's business drivers and security considerations specific 
to its use of IT and ICS is required. Because each organization's risk is unique, along with its use 
of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework 
wil] vary. 


Recognizing the role that the protection of privacy and civil liberties plays in creating greater 
public trust, the Executive Order requires that the Framework include a methodology to protect 
individual privacy and civil liberties when critical infrastructure organizations conduct 
cybersecurity activities. Many organizations already have processes for addressing privacy and 
civil liberties. The methodology is designed to complement such processes and provide guidance 
to facilitate privacy risk management consistent with an organization's approach to cybersecurity 
risk management. Integrating privacy and cybersecurity can benefit organizations by increasing. 
customer confidence, enabling more standardized sharing of information, and simplifying 
operations across legal regimes. 


! Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12, 


2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 


The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions 


and value chains. http://www. dhs.gov/critical-infrastructure-sectors 
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To ensure extensibility and enable technical innovation, the Framework is technology neutral. 
The Framework relies on a variety of existing standards, guidelines, and practices to enable 
critical infrastructure providers to achieve resilience. By relying on those global standards, 
guidelines, and practices developed, managed, and updated by industry, the tools and methods 
available to achieve the Framework outcomes will scale across borders, acknowledge the global 
nature of cybersecurity risks, and evolve with technological advances and business requirements. 
The use of existing and emerging standards will enable economies of scale and drive the 
development of effective products, services, and practices that meet identified market needs. 
Market competition also promotes faster diffusion of these technologies and practices and 
realization of many benefits by the stakeholders in these sectors. 


Building from those standards, guidelines, and practices, the Framework provides a common 
taxonomy and mechanism for organizations to: 


1) Describe their current cybersecurity posture; 
2) Describe their target state for cybersecurity; 


3) Identify and prioritize opportunities for improvement within the context of a 
continuous and repeatable process; 


4) Assess progress toward the target state; 
5) Communicate among internal and external stakeholders about cybersecurity risk. 


The Ersriework complements, and does not replace, an organization's risk management process 
and cybersecurity program. The organization can use its current processes and leverage the 
Framework to identify opportunities to strengthen and communicate its management of 
cybersecurity risk while aligning with industry practices. Alternatively, an organization without 
an existing cybersecurity program can use the Framework as a reference to establish one. 


: Just as the Framework is not industry-specific, the common taxonomy of standards, guidelines, 
and practices that it provides also is not country-specific. Organizations outside the United States 
may also use the Framework to strengthen their own cybersecurity efforts, and the Framework 
can contribute to developing a common language for international cooperation on critical 
infrastructure cybersecurity. 


1.1 Overview of the Framework 


The Framework is a risk-based approach to managing cybersecurity risk, and is composed of 
three parts: the Framework Core, the Framework Implementation Tiers, and the Framework 
Profiles. Each Framework component reinforces the connection between business drivers and 
cybersecurity activities. These components are explained below. 


e The Framework Core is a set of cybersecurity activities, desired outcomes, and 
applicable references that are common across critical infrastructure sectors. The Core 
presents industry standards, guidelines, and practices in a manner that allows for 
communication of cybersecurity activities and outcomes across the organization from the 
executive level to the implementation/operations level. The Framework Core consists of 
five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. 
When considered together, these Functions provide a high-level, strategic view of the 
lifecycle of an organization's management of cybersecurity risk. The Framework Core 
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then identifies underlying key Categories and Subcategories for each Function, and 
matches them with example Informative References such as existing standards, 
guidelines, and practices for each Subcategory. 


e Framework Implementation Tiers (“Tiers”) provide context on how an organization 
views cybersecurity risk and the processes in place to manage that risk. Tiers describe the 
degree to which an.organization's cybersecurity risk management practices exhibit the 
characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and 
adaptive). The Tiers characterize an organization's practices over a range, from Partial 
(Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive 
responses to approaches that are agile and risk-informed. During the Tier selection 
process, an organization should consider its current risk management practices, threat 
environment, legal and regulatory requirements, business/mission objectives, and 
organizational constraints. 


e A Framework Profile (“Profile”) represents the outcomes based on business needs that an 
organization has selected from the Framework Categories and Subcategories. The Profile 
can be characterized as the alignment of standards, guidelines, and practices to the 
Framework Core in a particular implementation scenario. Profiles can be used to identify 
opportunities for improving cybersecurity posture by comparing a “Current” Profile (the 
"as is" state) with a "Target" Profile (the ^to be" state). To develop a Profile, an 
organization can review all of the Categories and Subcategories and, based on business 
drivers and a risk assessment, determine which are most important; they can add 
Categories and Subcategories as needed to address the organization's risks. The Current 
Profile can then be used to support prioritization and measurement of progress toward the 
Target Profile, while factoring in other business needs including cost-effectiveness and 
innovation. Profiles can be used to conduct self-assessments and communicate within an 
organization or between organizations. 


1.2 Risk Management and the Cybersecurity Framework 


Risk management is the ongoing process of identifying, assessing, and responding to risk. To 
manage risk, organizations should understand the likelihood that an event will occur and the 
resulting impact. With this information, organizations can determine the acceptable level of risk 
for delivery of services and can express this as their risk tolerance. 


With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, 
enabling organizations to make informed decisions about cybersecurity expenditures. 
Implementation of risk management programs offers organizations the ability to quantify and 
communicate adjustments to their cybersecurity programs. Organizations may choose to handle 
risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or 
accepting the risk, depending on the potential impact to the delivery of critical services. 


The Framework uses risk management processes to enable organizations to inform and prioritize 
decisions regarding cybersecurity. It supports recurring risk assessments and validation of 
business drivers to help organizations select target states for cybersecurity activities that reflect 
desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and 
direct improvement in cybersecurity risk management for the IT and ICS environments. 
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The Framework is adaptive to provide a flexible and risk-based implementation that can be used 
with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk 
management processes include International Organization for Standardization (ISO) 
31000:2009°, ISO/IEC 27005:2011*, National Institute of Standards and Technology (NIST) 
Special Publication (SP) 800-39°, and the Electricity Subsector Cybersecurity Risk Management 
Process (RMP) guideline‘. 


1.3 Document Overview 


The remainder of this document contains the following sections and appendices: 

e Section 2 describes the Framework components: the Framework Core, the Tiers, and the 
Profiles. 
Section 3 presents examples of how the Framework can be used. 
Appendix A presents the Framework Core in a tabular format: the Functions, Categories, 
Subcategories, and Informative References. i 

e Appendix B contains a glossary of selected terms. 

e Appendix C lists acronyms used in this document. 


International Organization for Standardization, Risk management — Principles and guidelines, ISO 31000:2009, 
2009. http://www.iso.org/iso/home/standards/iso31000.htm ` 

International Organization for Standardization/International Electrotechnical Commission, Information 
technology — Security techniques — Information security risk management, ISO/IEC 27005:2011, 2011. 
http://www.iso.org/iso/catalogue_detail? csnumber=56742 

Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and 
Information System View, NIST Special.Publication 800-39, March 2011. 
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf 

U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May 
2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20M anagement%20Process%20Guideline%20- 
%20Final%20-%20May%202012.pdf | 
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2.0 Framework Basics 


The Framework provides a common language for understanding, managing, and expressing 
cybersecurity risk both internally and externally. It can be used to help identify and prioritize 
actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and 
technological approaches to managing that risk. It can be used to manage Cybersecurity risk 
across entire organizations or it can be focused on the delivery of critical services within an 
organization. Different types of entities — including sector coordinating structures, associations, 
and organizations — can use the Framework for different purposes, including the creation of 
common Profiles. 


2.1 Framework Core 


The Framework Core provides a set of activities to achieve specific Cybersecurity outcomes, and 

e references examples of guidance to achieve those outcomes. The Core is not a checklist of 
actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in 
managing cybersecurity risk. The Core comprises four elements: Functions, Categories, 
Subcategories, and Informative References, depicted in Figure 1: 


Functions | Categories | Subcategories informative References | 


IDENTIFY 





e Figure 1: Framework Core Structure 


The Framework Core elements work together as follows: 


e Functions organize basic cybersecurity activities at their highest level. These Functions 
are Identify, Protect, Detect, Respond, and Recover. They aid an organization in 
expressing its management of Cybersecurity risk by organizing information, enabling risk 
management decisions, addressing threats, and improving by learning from previous 
activities. The Functions also align with existing methodologies for incident management 
and help show the impact of investments in cybersecurity. For example, investments in 
planning and exercises support timely response and recovery actions, resulting in reduced 
impact to tbe delivery of services. 


e Categories are the subdivisions of a Function into groups of cybersecurity outcomes 
closely tied to programmatic needs and particular activities. Examples of Categories 
include “Asset Management,” “Access Control,” and “Detection Processes." 
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e Subcategories further divide a Category into specific outcomes of technical and/or 
management activities. They provide a set of results that, while not exhaustive, help 
support achievement of the outcomes in each Category. Examples of Subcategories 
include “External information systems are catalogued,” “Data-at-rest is protected,” and 
“Notifications from detection systems are investigated.” 


e Informative References are specific sections of standards, guidelines, and practices 
common among critical infrastructure sectors that illustrate a method to achieve the 
outcomes associated with each Subcategory. The Informative References presented in the 
Framework Core are illustrative and not exhaustive. They are based upon cross-sector 
guidance most frequently referenced during the Framework development process.’ 


The five Framework Core Functions are defined below. These Functions are not intended to 
form a serial path, or lead to a static desired end state. Rather, the Functions can be performed 
concurrently and continuously to form an operational culture that addresses the dynamic 
cybersecurity risk. See Appendix A for the complete Framework Core listing. 


* Identify — Develop the organizational understanding to manage cybersecurity risk to 
systems, assets, data, and capabilities. 


The activities in the Identify Function are foundational for effective use of the 
Framework. Understanding the business context, the resources that support critical 
functions, and the related cybersecurity risks enables an organization to focus and 
prioritize its efforts, consistent with its risk-management strategy and business needs. 
Examples of outcome Categories within this Function include: Asset Management; 
Business Environment; Governance; Risk Assessment; and Risk Management Strategy. 


* Protect — Develop and implement the appropriate safeguards to ensure delivery of 
critical infrastructure services. 


The Protect Function supports the ability to limit or contain the impact of a potential 
cybersecurity event. Examples of outcome Categories within this Function include: 
Access Control; Awareness and Training; Data Security; Information Protection 
Processes and Procedures; Maintenance; and Protective Technology. 


e Detect — Develop and implement the appropriate activities to identify the occurrence of a 
cybersecurity event. 


' The Detect Function enables timely discovery of cybersecurity events. Examples of 
outcome Categories within this Function include: Anomalies and Events; Security 
Continuous Monitoring; and Detection Processes. 


e Respond — Develop and implement the appropriate activities to take action regarding a 
detected cybersecurity event. 





7 NIST developed a Compendium of informative references gathered from the Request for Information (RFI) 


input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development 
process. The Compendium includes standards, guidelines, and practices to assist with implementation. The 
Compendium is not intended to be an exhaustive list, but rather a starting point based on initial stakeholder 
input. The Compendium and other supporting material can be found at http://www.nist.gov/cyberframework/. 
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The Respond Function supports the ability to contain the impact of a potential 
cybersecurity event. Examples of outcome Categories within this Function include: 
Response Planning; Communications; Analysis; Mitigation; and Improvements. 


e Recover — Develop and implement the appropriate activities to maintain plans for 
resilience and to restore any capabilities or services that were impaired due to a 
cybersecurity event. 


The Recover Function supports timely recovery to normal operations to reduce the 
impact from a cybersecurity event. Examples of outcome Categories within this Function 
include: Recovery Planning; Improvements; and Communications. 


2.2 Framework Implementation Tiers 


The Framework Implementation Tiers (“Tiers”) provide context on how an organization views 
cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial 
(Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in 
cybersecurity risk management practices and the extent to which cybersecurity risk management 
is informed by business needs and is integrated into an organization's overall risk management 
practices. Risk management considerations include many aspects of cybersecurity, including the 
degree to which privacy and civil liberties considerations are integrated into an organization's 
management of cybersecurity risk and potential risk responses. 


The Tier selection process considers an organization's current risk management practices, threat 
environment, legal and regulatory requirements, business/mission objectives, and organizational 
constraints. Organizations should determine the desired Tier, ensuring that the selected level 
meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical 
assets and resources to levels acceptable to the organization. Organizations should consider 
leveraging external guidance obtained from Federal government departments and agencies, 
Information Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to 
assist in determining their desired tier. 


While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 
2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged 
when such a change would reduce cybersecurity risk and be cost effective. Successful 
implementation of the Framework is based upon achievement of the outcomes described in the 
organization's Target Profile(s) and not upon Tier determination. 
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The Tier definitions are as follows: 


Tier 1: 


Tier 2: 


Tier 3: 


Partial 


Risk Management Process — Organizational cybersecurity risk management practices are 
not formalized, and risk is managed in an ad hoc and sometimes reactive manner. 
Prioritization of cybersecurity activities may not be directly informed by organizational 
risk objectives, the threat environment, or business/mission requirements. 


Integrated Risk Management Program — There is limited awareness of cybersecurity risk 
at the organizational level and an organization-wide approach to managing cybersecurity 
risk has not been established. The organization implements cybersecurity risk 
management on an irregular, case-by-case basis due to varied experience or information 
gained from outside sources. The organization may not have processes that enable 
cybersecurity information to be shared within the organization. 


External Participation — An organization may not have the processes in place to 
participate in coordination or collaboration with other entities. i 


Risk Informed 


Risk Management Process — Risk management practices are approved by management 
but may not be established as organizational-wide policy. Prioritization of cybersecurity 
activities is directly informed by organizational risk objectives, the threat environment, or 
business/mission requirements. 


Integrated Risk Management Program — There is an awareness of cybersecurity risk at 
the organizational level but an organization-wide approach to managing cybersecutity 
risk has not been established. Risk-informed, management-approved processes and 
procedures are defined and implemented, and staff has adequate resources to perform 
their cybersecurity duties. Cybersecurity information is shared within the organization on 
an informal basis. 


External Participation — The organization knows its role in the larger ecosystem, but has 
not formalized its capabilities to interact and share information externally. 


Repeatable 


Risk Management Process — The organization's risk management practices are.formally 
approved and expressed as policy. Organizational cybersecurity practices are regularly 
updated based on the application of risk management processes to changes in 
business/mission requirements and a changing threat and technology landscape. 


Integrated Risk Management Program — There is an organization-wide approach to 
manage cybersecurity risk. Risk-informed policies, processes, and procedures are 
defined, implemented as intended, and reviewed. Consistent methods are in place to 
respond effectively to changes in risk. Personnel possess the knowledge and skills to 
perform their appointed roles and responsibilities. 


External Participation — The organization understands its dependencies and partners and 
receives information from these partners that enables collaboration and risk-based 
management decisions within the organization in response to events. 


10 
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Tier 4: Adaptive 


2.3 


Risk Management Process — The organization adapts its cybersecurity practices based on 
lessons learned and predictive indicators derived from previous and current cybersecurity 
activities. Through a process of continuous improvement incorporating advanced 
cybersecurity technologies and practices, the organization actively adapts to a changing 
cybersecurity landscape and responds to evolving and sophisticated threats in a timely 
manner. 


Integrated Risk Management Program — There is an organization-wide approach to 
managing cybersecurity risk that uses risk-informed policies, processes, and procedures 
to address potential cybersecurity events. Cybersecurity risk management is part of the 
organizational culture and evolves from an awareness of previous activities, information 
shared by other sources, and continuous awareness of activities on their systems and 
networks. 


External Participation — The organization manages risk and actively shares information 
with partners to ensure that accurate, current information is being distributed and 
consumed to improve cybersecurity before a cybersecurity event occurs. 


Framework Profile 


The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and 
Subcategories with the business requirements, risk tolerance, and resources of the organization. 
A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well 
aligned with organizational and sector goals, considers legal/regulatory requirements and 
industry best practices, and reflects risk management priorities. Given the complexity of many 
organizations, they may choose to have multiple profiles, aligned with particular components and 
recognizing their individual needs. 


Framework Profiles can be used to describe the current state or the desired target state of specific 
cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are 
currently being achieved. The Target Profile indicates the outcomes needed to achieve the 
desired cybersecurity risk management goals. Profiles support business/mission requirements 
and aid in the communication of risk within and between organizations. This Framework 
document does not prescribe Profile templates, allowing for flexibility in implementation. 


Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be 
addressed to meet cybersecurity risk management objectives. An action plan to address these 
gaps can contribute to the roadmap described above. Prioritization of gap mitigation is driven by 
the organization's business needs and risk management processes. This risk-based approach 
enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve 
cybersecurity goals in a cost-effective, prioritized manner. 


Il 
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2.4 Coordination of Framework Implementation 


Figure 2 describes a common flow of information and decisions at the following levels within an 
organization: 


e Executive 
e  Business/Process 
e Implementation/Operations 


The executive level communicates the mission priorities, available resources, and overall risk 
tolerance to the business/process level. The business/process level uses the information as inputs 
into the risk management process, and then collaborates with the implementation/operations 
level to communicate business needs and create a Profile. The implementation/operations level 
communicates the Profile implementation progress to the business/process level. The 
business/process level uses this information to perform an impact assessment. Business/process 
level management reports the outcomes of that impact assessment to the executive level to 
inform the organization’s overall risk management process and to the implementation/operations 
level for awareness of business impact. 


Risk Management 





implementation 


Figure 2: Notional Information and Decision Flows within an Organization 
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3.0 How to Use the Framework 


An organization can use the Framework as a key part of its systematic process for identifying, 
assessing, and managing cybersecurity risk. The Framework is not designed to replace existing 
processes; an organization can use its current process and overlay it onto the Framework to 
determine gaps in its current cybersecurity risk approach and develop a roadmap to 
improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization 
can determine activities that are most important to critical service delivery and prioritize 
expenditures to maximize the impact of the investment. 


The Framework is designed to complement existing business and cybersecurity operations. It can 
serve as the foundation for a new cybersecurity program or a mechanism for improving an 
existing program. The Framework provides a means of expressing cybersecurity requirements to 
business partners and customers and can help identify gaps in an organization’s cybersecurity 
practices. It also provides a general set of considerations and processes for considering privacy 
and civil liberties implications in the context of a cybersecurity program. | 


The following sections present different ways in which organizations can use the Framework. 


3.1 Basic Review of Cybersecurity Practices 


The Framework can be used to compare an organization's current cybersecurity activities with 
those outlined in the Framework Core. Through the creation of a Current Profile, organizations 
can examine the extent to which they are achieving the outcomes described in the Core 
Categories and Subcategories, aligned with the five high-level Functions: Jdentify, Protect, 
Detect, Respond, and Recover. An organization may find that it is already achieving the desired 
outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an 
organization may determine that it has opportunities to (or needs to) improve. The organization 
can use that information to develop an action plan to strengthen existing cybersecurity practices 
and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve 
certain outcomes. The organization can use this information to reprioritize resources to 
strengthen other cybersecurity practices. 


While they do not replace a risk management process, these five high-level Functions will 
provide a concise way for senior executives and others to distill the fundamental concepts of 
cybersecurity risk so that they can assess how identified risks are managed, and how their 
organization stacks up at a high level against existing cybersecurity standards, guidelines, and 
practices. The Framework can also help an organization answer fundamenta] questions, 
including “How are we doing?" Then they can move in a more informed way to strengthen their 
cybersecurity practices where and when deemed necessary. 


3.2 Establishing or Improving a Cybersecurity Program 


The following steps illustrate how an organization could use the Framework to create a new 
cybersecurity program or improve an existing program. These steps should be repeated as 
necessary to continuously improve cybersecurity. 
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Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and 
high-level organizational priorities. With this information, the organization makes strategic 
decisions regarding cybersecurity implementations and determines the scope of systems and 
assets that support the selected business line or process. The Framework can be adapted to 
support the different business lines or processes within an organization, which may have 
different business needs and associated risk tolerance. 


Step 2: Orient. Once the scope of the cybersecurity program has been determined for the 
business line or process, the organization identifies related systems and assets, regulatory 
requirements, and overall risk approach. The organization then identifies threats to, and 
vulnerabilities of, those systems and assets. 


Step 3: Create a Current Profile. The organization develops a Current Profile by indicating 
which Category and Subcategory outcomes from the Framework Core are currently being 
achieved. 


Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization's 
overall risk management process or previous risk assessment activities. The organization 
analyzes the operational environment in order to discern the likelihood of a cybersecurity event 
and the impact that the event could have on the organization. It is important that organizations 
seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust 
understanding of the likelihood and impact of cybersecurity events. 


Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the 
assessment of the Framework Categories and Subcategories describing the organization's desired 
cybersecurity outcomes. Organizations also may develop their own additional Categories and 
Subcategories to account for unique organizational risks. The organization may also consider 
influences and requirements of external stakeholders such as sector entities, customers, and 
business partners when creating a Target Profile. 


Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current 
Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to 
address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of 
risk to achieve the outcomes in the Target Profile. The organization then determines resources 
necessary to address the gaps. Using Profiles in this manner enables the organization to make 
informed decisions about cybersecurity activities, supports risk management, and enables the 
organization to perform cost-effective, targeted improvements. 


Step 7: Implement Action Plan. The organization determines which actions to take in regards 
to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity 
practices against the Target Profile. For further guidance, the Framework identifies example 
Informative References regarding the Categories and Subcategories, but organizations should 
determine which standards, guidelines, and practices, including those that are sector specific, 
work best for their needs. 


An organization may repeat the steps as needed to continuously assess and improve its 
Cybersecurity. For instance, organizations may find that more frequent repetition of the orient 
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step improves the quality of risk assessments. Furthermore, organizations may monitor progress 
through iterative updates to the Current Profile, subsequently comparing the Current Profile to 
the Target Profile. Organizations may also utilize this process to align their cybersecurity 
program with their desired Framework Implementation Tier. 


3.3 Communicating Cybersecurity Requirements with Stakeholders 


The Framework provides a common language to communicate requirements among 
interdependent stakeholders responsible for the delivery of essential critical infrastructure 
services. Examples include: 


e An organization may utilize a Target Profile to express cybersecurity risk management 
requirements to an external service provider (e.g., a cloud provider to which it is 
exporting data). 

e An organization may express its cybersecurity state through a Current Profile to report 
results or to compare with acquisition requirements.. | 

e A critical infrastructure owner/operator, having identified an external partner on whom 
that infrastructure depends, may use a Target Profile to convey required Categories and 
Subcategories. 

e Acritical infrastructure sector may establish a Target Profile that can be used among its 
constituents as an initial baseline Profile to build their tailored Target Profiles. 


3.4 Identifying Opportunities for New or Revised Informative 
References i 


The Framework can be used to identify opportunities for new or revised standards, guidelines, or 
practices where additional Informative References would help organizations address emerging 
needs. An organization implementing a given Subcategory, or developing a new Subcategory, 
might discover that there are few Informative References, if any, for a related activity. To 
address that need, the organization might collaborate with technology leaders and/or standards 
bodies to draft, develop, and coordinate standards, guidelines, or practices. | 


3.5 Methodology to Protect Privacy and Civil Liberties 


This section describes a methodology as required by the Executive Order to address individual 
privacy and civil liberties implications that may result from cybersecurity operations. This 
methodology is intended to be a general set of considerations and processes since privacy and 
civil liberties implications may differ by sector or over time and organizations may address these 
considerations and processes with a range of technical implementations. Nonetheless, not all 
activities in a cybersecurity program may give rise to these considerations. Consistent with 
Section 3.4, technical privacy standards, guidelines, and additional best practices may need to be 
developed to support improved technical implementations. 


Privacy and civil liberties implications may arise when personal information is used, collected, 
processed, maintained, or disclosed in connection with an organization's cybersecurity activities. 
Some examples of activities that bear privacy or civil liberties considerations may include: 
cybersecurity activities that result in the over-collection or over-retention of personal 
information; disclosure or use of personal information unrelated to cybersecurity activities; 
cybersecurity mitigation activities that result in denial of service or other similar potentially 
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adverse impacts, including activities such as some types of incident detection or monitoring that 
may impact freedom of expression or association. 


The government and agents ofthe government have a direct responsibility to protect civil 
liberties arising from cybersecurity activities. As referenced in the methodology below, 
government or agents ofthe government that own or operate critical infrastructure should have a 
process in place to support compliance of cybersecurity activities with applicable privacy laws, 
regulations, and Constitutiona] requirements. 


To address privacy implications, organizations may consider how, in circumstances where such 
measures are appropriate, their cybersecurity program might incorporate privacy principles such 
as: data minimization in the collection, disclosure, and retention of personal information material 
related to the cybersecurity incident; use limitations outside of cybersecurity activities on any 
information collected specifically for cybersecurity activities; transparency for certain 
cybersecurity activities; individual consent and redress for adverse impacts arising from use of 
personal information in cybersecurity activities; data quality, integrity, and security; and 


accountability and auditing. 


As organizations assess the Framework Core in Appendix A, the following processes and 
activities may be considered as a means to address the above-referenced privacy and civil 
liberties implications: 


Governance of cybersecurity risk 


e Anorganization's assessment of cybersecurity risk and potential risk responses considers 
the privacy implications of its cybersecurity program 

* Individuals with cybersecurity-related privacy responsibilities report to appropriate 
management and are appropriately trained _ 

e Process is in place to support compliance of cybersecurity activities with applicable 
privacy laws, regulations, and Constitutional requirements 


e Process is in place to assess implementation of the foregoing organizational measures and 


controls 


Approaches to identifying and authorizing individuals to access organizational assets and 
systems 


e Steps are taken to identify and address the privacy implications of access control 
measures to the extent that they involve collection, disclosure, or use of personal 
information l 


Awareness and training measures 


e Applicable information from organizational privacy policies is included in cybersecurity 
workforce training and awareness activities 

e Service providers that provide cybersecurity-related services for the organization are 
informed about the organization’s applicable privacy policies 
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Anomalous activity detection and system and assets monitoring 


e Process is in place to conduct a privacy review of an organization's anomalous activity 
detection and cybersecurity monitoring 


Response activities, including information sharing or other mitigation efforts 


e Process is in place to assess and address whether, when, how, and the extent to which 
personal information is shared outside the organization as part of cybersecurity 
information sharing activities 

e Process is in place to conduct a privacy review of an organization's cybersecurity 
mitigation efforts 
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Appendix A: Framework Core 


This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories, 
and Informative References that describe specific cybersecurity activities that are common 
across all critical infrastructure sectors. The chosen presentation format for the Framework Core 
does not suggest a specific implementation order or imply a degree of importance of the 
Categories, Subcategories, and Informative References. The Framework Core presented in this 
appendix represents a common set of activities for managing cybersecurity risk. While the 
Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities 
to use Subcategories and Informative References that are cost-effective and efficient and that 
enable them to manage their cybersecurity risk. Activities can be selected from the Framework 
Core during the Profile creation process and additional Categories, Subcategories, and - 
Informative References may be added to the Profile. An organization's risk management 
processes, legal/regulatory requirements, business/mission objectives, and organizational 
constraints guide the selection of these activities during Profile creation. Personal information is 
considered a component of data or assets referenced in the Categories when assessing security 
risks and protections. 


While the intended outcomes identified in the Functions, Categories, and Subcategories are the 
same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS 
have a direct effect on the physical world, including potential risks to the health and safety of 
individuals, and impact on the environment. Additionally, ICS have unique performance and 
reliability requirements compared with IT, and the goals of safety and efficiency must be 
considered when implementing cybersecurity measures. 


For ease of use, each component of the Framework Core is given a unique identifier. Functions 
and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories 
within each Category are referenced numerically; the unique identifier for each Subcategory is 
included in Table 2. 


Additional supporting material relating to the Framework can be found on the NIST website at 


http://www.nist.gov/cyberframework/. 
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Tabie 1: Function and Category Unique Identifiers 





Function 
Unique Function 
Identifier 


Category 
Unique Category 
Identifier 


Asset Management 
Business Environment 
Identify. Governance 
Risk Assessment 
D. 


Risk Management Strategy 


PR.AC Access Control 
PR.AT Awareness and Training 
PR Brian: PR.DS Data Security 
PR_IP Information Protection Processes and Procedures 
PR.MA Maintenance 


PR.PT Protective Technology 
Anomalies and Events 


DE Detect DE.CM Security Continuous Monitoring 


Detection Processes 








io) 

ti 
i 

"9 


Response Planning | 


| | RSRP 
i Communications 
| 
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Appendix B: Glossary 


This appendix defines selected terms used in the publication. 


Category 


Critical 
Infrastructure 


Cybersecurity 
Cybersecurity 
Event 


Detect (function) 


Framework 


Framework Core 


Framework 
Implementation 
Tier © 


Framework 
Profile 


Function 


The subdivision of a Function into groups of cybersecurity outcomes, 
closely tied to programmatic needs and particular activities. Examples 
of Categories include “Asset Management,” “Access Control,” and 
“Detection Processes.” 


Systems and assets, whether physical or virtual, so vital to the United 
States that the incapacity or destruction of such systems and assets 
would have a debilitating impact on cybersecurity, national economic 
security, national public health or safety, or any combination of those 
matters. 


The process of protecting information by preventing, detecting, and 
responding to attacks. 


A cybersecurity change that may have an impact on organizational 
operations (including mission, capabilities, or reputation). 


Develop and implement the appropriate activities to identify the 
occurrence of a cybersecurity event. 


A risk-based approach to reducing cybersecurity risk composed of 
three parts: the Framework Core, the Framework Profile, and the 
Framework Implementation Tiers. Also known as the “Cybersecurity 
Framework.” 


A set of cybersecurity activities and references that are common 
across critical infrastructure sectors and are organized around 
particular outcomes. The Framework Core comprises four types of 
elements: Functions, Categories, Subcategories, and Informative 
References. 


A lens through which to view the characteristics of an organization’s 
approach to risk—how an organization views cybersecurity risk and 
the processes in place to manage that risk. 


A representation of the outcomes that-a particular system or 
organization has selected from the Framework Categories and 
Subcategories. . 


One of the main components of the Framework. Functions provide the 
highest level of structure for organizing basic cybersecurity activities 
into Categories and Subcategories. The five functions are Identify, 
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Identify (function) 


Informative 
Reference 


Mobile Code 


Protect (function) 
Privileged User 


Recover (function) 


Respond 
(function) 


Risk 


Risk Management 
Subcategory 
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Protect, Detect, Respond, and Recover. 


Develop the organizational understanding to manage cybersecurity 
risk to systems, assets, data, and capabilities. 


A specific section of standards, guidelines, and practices common 
among critical infrastructure sectors that illustrates a method to 
achieve the outcomes associated with each Subcategory. 


A program (e.g., script, macro, or other portable instruction) that can 
be shipped unchanged to a heterogeneous collection of platforms and 
executed with identical semantics. 


Develop and implement the appropriate safeguards to ensure delivery 
of critical infrastructure services. 


A user that is authorized (and, therefore, trusted) to perform security- 
relevant functions that ordinary users are not authorized to perform. 


Develop and implement the appropriate activities to maintain plans for 
resilience and to restore any capabilities or services that were impaired 
due to a cybersecurity event. 


Develop and implement the appropriate activities to take action 
regarding a detected cybersecurity event. 


A measure of the extent to which an entity is threatened by a potential 
circumstance or event, and typically a function of: (i) the adverse 
impacts that would arise if the circumstance or event occurs; and (ii) 
the likelihood of occurrence. 


The process of identifying, assessing, and responding to risk. 


The subdivision of a Category into specific outcomes of technical 
and/or management activities. Examples of Subcategories include 
“External information systems are catalogued,” “Data-at-rest is 
protected,” and “Notifications from detection systems are 
investigated.” 
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Appendix C: Acronyms 


This appendix defines selected acronyms used in the publication. 


CCS 
COBIT 
DCS 
DHS 


Council on CyberSecurity 

Control Objectives for Information and Related Technology 
Distributed Control System 

Department of Homeland Security 

Executive Order 

Industrial Control Systems 

International Electrotechnical Commission 
Interagency Report 

International Society of Automation 
Information Sharing and Analysis Center 
International Organization for Standardization 
Information Technology 

National Institute of Standards and Technology 
Request for Information 

Risk Management Process 

supervisory Control and Data Acquisition 
Special Publication 
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Introduction 


In the past few years, we have seen significant breaches in cybersecurity which could 
affect critical U.S. infrastructure. Data on the nation's weakest dams, including those which 
could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants? 
confidential cybersecurity plans have been left unprotected. Blueprints for the technology 
undergirding the New York Stock Exchange were exposed to hackers. 


Examples like those underscore for many the importance of increased federal 
involvement in protecting the nation's privately-owned critical infrastructure. But for one thing: 
Those failures aren't due to poor practices by the private sector. All of the examples below were 
real lapses by the federal government. 


e The Nuclear Regulatory Commission stored sensitive cybersecurity details for nuclear 
plants on an unprotected shared drive, making them more vulnerable to hackers and 
cyberthieves. 


e The Securities and Exchange Commission routinely exposed extremely sensitive data 
about the computer networks supporting the New York Stock Exchange, including 
NYSE’s cybersecurity measures. The information the SEC exposed reportedly could be 
extremely useful to a hacker or terrorist who wanted to penetrate the market's defenses 
and attack its systems. 


e Last January, hackers gained access to U.S. Army Corps of Engineers computers and 
downloaded an entire non-public database of information about the nation's 85,000 dams 
— including sensitive information abaut each dam’s condition, the potential for fatalities 
if breached, location and nearest city.! 


e Last February, hackers reportedly broke into the national Emergency Broadcast System, 


implemented by the Federal Emergency Management Agency (FEMA) and the 
Federal Communications Commission (FCC) as the federal government's tool to 
address Americans in case of a national emergency. The hackers caused television 
stations in Michigan, Montana and North Dakota to broadcast zombie attack warnings. 
"Civil authorities in your area have reported that the bodies of the dead are rising from 
their graves and attacking the living," an authoritative voice stated in the hacked 
broadcast message, while the faniiliar warning beep sounded. “Do not attempt to 
approach or apprehend these bodies as they are considered extremely dangerous? 


! Senate HSGAC Minority Staff briefing with U.S. Army Corps of Engineers officials, May 3, 2013. 
? “Local Station Breaks Into Programming With Emergency Zombie Apocalypse Alert," Mediaite. com, 
February 11, 2013, http:// 
zombie-apocalypse- alert/, accessed January 13, 2014; "Emergency Alert System (EAS)", FCC.gov, 


http://www.fcc. gov/guides/emergency-alert-system-eas. 
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e Last March, hackers exploited a vulnerability on web servers belonging to the National 
Institute of Standards and Technology (NIST), the federal government's authority for 
federal and private-sector cybersecurity. The servers, which hosted the federal 
government's database of known software vulnerabilities, had to be taken out of service 
for several days.” 


In addition, hackers have penetrated, taken control of, caused damage to and/or stolen 
sensitive personal and official information from computer systems at the Departments of 
Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the 
Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; 
the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. 
Copyright Office; and the National Weather Service, according to public reporting." 


These are just hacks whose details became known to the public, often because the 
hackers themselves announced their exploits. Largely invisible to the public and policymakers 
are over 48,000 other cyber ‘ "incidents" involving government systems which agencies detected 
and reported to DHS in FY 2012.? And one cannot ignore the universe of other intrusions that 
agencies could not detect: civilian agencies don't detect roughly 4 in 10 intrusions, according to 
testing reported in 2013 by the White House Office of Management and Budget. 


While cyber intrusions into protected systems are typically the result of sophisticated 
hacking, they often exploit mundane weaknesses, particularly out-of-date software. Even though 
they sound boring, failing to install software patches or update programs to their latest version 
create entry points for spies, hackers and other malicious actors. Last July, hackers used just that 
kind of known, fixable weakness to steal private information on over 100,000 people from the 
Department of Energy. The department's Inspector General blamed the theft in part on a piece 


* Goodin, Dan, "National Vulnerability Database taken down by vulnerability-exploiting hack," Ars Technica, 
March 14, 2013, http: hni m/ /2013/03/ Inerability-datab k 
vulnerability-exploiting-hack/, accessed January 13, 2014. 

^ Reported incidents compiled by the Senate Committee on Commerce, 2013; Rosenzweig, Paul, “The 
Alarming Trend of Cybersecurity Breaches and Failures in the US. Government Continues, ” Heritage Foundation, 
http:// 











continue ed January 13, 2014; Ryan, Jason, “Anonymous Hits Federal REENE. in Hack Attack,” 


ABCNews.com, Feb. 6, 2013, http:/abcnews.go.com/blogs/politics/2013/02/anonymous-hits-federal-reserve-in- 
hack-attack/, accessed January 13, 2014; Lennon, Mike, “NASA Inspector General Said Hackers Had Full 


Functional Control Over NASA Networks," Security Week, March 3, 2012, http://www.securityweek.com/nasa- 
inspector-general-said-hackers-had-full-functional-control-over-nasa-networks, January 13, 2014; Lowenson, Josh, 
"Lawmakers ask for deeper look into FDA security hack," TheVerge.com, Dec. 9, 2013, 
http://www.theverge. com/us-world/2013/12/9/5194260/lawmakers-ask-for-deeper-look-into-fda-security-hack 
accessed January 13, 2014. 

*“Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security 
Management Act of 2002,” Office of Management and Budget, March 2013, p. 17, - 

http://www. whitehouse. gov/sites/default/files/omb/assets/egov_docs/fyl2_fisma.pdf, accessed January 13, 2014. 

6 “Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information Security 
Management Act of 2002," Office of Management and Budget, March 2013, p. 30: Across 22 agencies, ^on average 
the NOC/SOC [Network Operations Center/Security Operations Center] was 6396 effective at detecting incidents." 


http://www. whitehouse. gov/sites/default/files/omb/assets/egov_docs/fyl2_fisma.pdf, accessed January 13, 2014. 
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of software which had not been updated in over two years, even though the department had 
purchased the upgrade.’ 


The President’s Order 


In February 2012, President Obama unveiled an executive order to protect the nation 
from debilitating cyberattacks.* The president’s order addresses the security of computers and 
networks which run the nation’s commercially-owned critical infrastructure. Already, agencies 
are drawing up plans and working with the private sector to implement the president’s directive. 


It is appropriate for the White House to envision a federal role in protecting privately- 
owned infrastructure, particularly when that infrastructure undergirds the nation’s economy and 
society. However, for the country’s citizens and businesses to take the government’s effort 
seriously, the federal government should address the immediate danger posed by the insecurity 
of its own critical networks. 


Over more than a decade, the federal government has struggled to implement a mandate 
to protect its own IT systems from malicious attacks. As we move forward on this national 
strategy to boost the cybersecurity of our nation's critical infrastructure, we cannot overlook the 
critical roles played by many government operations, and the dangerous vulnerabilities which 
persist in their information systems. 


Federal Information Security Management Act (FISMA) 


Eleven years ago, Congress passed and the White House ap pproved legislation to 
strengthen the federal government's own computers and networks." The law, known as the 
Federal Information Security Management Act (FISMA), requires agencies to develop, 
document, and implement information security programs which meet certain specifications.’ As 
Congress again contemplates a major cybersecurity effort, it may be advisable to evaluate how 
the federal effort has fared. For one thing, FISMA could benefit from reforms of its own. But 
more importantly, its history can hold clues to the federal government's ability to effectively 
mandate and enforce cybersecurity standards. 


Since 2006, the federal government has spent at least $65 billion on securing its 
computers and networks, according to an estimate by the Congressional Research Service.!! The 
National Institute of Standards and Technology (NIST), the government's official body for 


7 Goodin, Dan, “How hackers made minced meat out of the Department of Energy networks," Ars Technica, 
Dec. 16, 2013, http://arstechnica.com/security/2013/ I2/how-hackers-m ade-minced-meat-of-department-of-energy- 
networks/ accessed January 13, 2014. 
* “Executive Order — Improving Critical Infrastructure Cybersecurity,” White House, February 12, 2013, 
13/02/12/ d 








bean, accessed January 13, 2014. 
? «Federal Information BECUDUY Management Act of 2002," enacted as Title III of the E-Government Act of 
2002 (Pub.L. 107-347). 
10 «FISMA: Detailed Overview,” NIST, http://csrc.nist.gov/groups/SMA/fisma/overview.html, accessed 
January 13, 2014. 
!! Congressional Research Service, Memo to HSGAC Minority Staff, “FISMA Spending, Historical Trends,” 
June 6, 2013. 
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setting cybersecurity standards, has produced thousands of pages of precise guidance on every 
significant aspect of IT security. And yet agencies — even agencies with responsibilities for 
critical infrastructure, or vast repositories of sensitive data — continue to leave themselves 
vulnerable, often by failing to take the most basic steps towards securing their systems and 
information. 


Methodology 


This report draws on more than 40 audits and other reviews by agency inspectors general, 
including mandated annual FISMA audits for nearly a dozen agencies, as well as open-source 
reporting on cybersecurity and federal agencies. In addition, staff interviewed officials from 
offices of inspectors general (OIGs) about their cybersecurity work. 


Due to the sensitivity of the topic, drafts of this report were shared with relevant OIGs to 
confirm no sensitive non-public information was inadvertently included which could harm 
federal cybersecurity efforts. 





MAT A BMI-1-11e_12.pdf, Blatt 209 


Department of Homeland Security 


In 2010, the Administration tasked the Department of 
Homeland Security to lead the federal government’s efforts to 
secure its own computers. 


Since it was selected to shoulder the profound 
responsibility of overseeing the security of all unclassified 
federal networks, one might expect DHS's cyber protections 
to be a model for other agencies, or that the department had 
demonstrated an outstanding competence in the field. But a closer look at DHS's efforts to 
secure its own systems reveals that the department suffers from many of the same shortcomings 
found at other government agencies. 





In August 2010 — just one month after a White House directive gave DHS responsibility 
for the cybersecurity of all federal government networks — the DHS Inspector General found 
that the DHS computer security experts who would fulfill that directive had serious cyber 
vulnerabilities in their own systems. The IG found hundreds of vulnerabilities on the DHS cyber 
team's systems, including failures to update basic software like Microsoft applications, Adobe 
Acrobat and Java," the sort of basic security measure just about any American with a computer 
has performed. 


Weaknesses at DHS are not confined to its own cybersecurity office. IT security 
vulnerabilities exist throughout DHS and its component agencies. Although it has steadily 
improved its overall cybersecurity performance, DHS is by no means a standard-setter. In fact, in 
some key areas DHS lags behind many of its agency peers. For instance, in 2013 OMB found 
DHS rated below the government-wide average for using anti-virus software or other automated 
detection programs encrypting email, and security awareness training for network users. '? 


In 2013, OMB set a goal for government agencies to send at least 8896 of all internet 
traffic through special secure gateways, known as Trusted Internet Connections (TICs). It set a 
goal for DHS of 95 percent. The Department's Inspector General reported last November DHS 
failed to meet either goal. Just 72 percent of DHS internet traffic passed through TICs, the IG 
stated. It should be noted that DHS is responsible for the administration's efforts to consolidate 
federal internet traffic through TICs. !* 





7? “DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems,” DHS Office of 
Inspector General, August 2010, http://www.oig.dhs.gov/assets/Mgmt/OIG_10-111 Aug10.pdf, accessed January 
13, 2014. 

Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security 
Management Act of 2002,” Office of Management and Budget, March 2013, pp. 31-35, 


http://www. whitehouse. gov/sites/default/files/omb/assets/egov_docs/fy12 fisma.pdf, accessed January 13, 2014. 


14 *OIG-14-09: Evaluation of DHS’ Information Security Program for Fiscal Year 2013,” DHS Office of 


Inspector General, November 2013, pp. 3, 15, http://www.oig.dhs.gov/assets/Mgmt/2014/OIG_14-09 Nov13.pdf, 
accessed January 13, 2014. DHS has claimed its TIC consolidation numbers have improved since then. 
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Repeated failure to install software updates and security patches. In 2012, the IG 
found vulnerabilities arising from missing patches on computers at the National Protection and 
Programs Directorate (NPPD), which houses the bulk of DHS’s cybersecurity efforts; on servers 
supporting U.S. Secret Service intelligence work; on computers supporting ICE Homeland 
Security Investigations’ Intelligence Fusion Systems, a powerful system allowing agents to query 
severa] sensitive databases; and on dozens of servers supporting TSA's Transportation Worker 
Identification Credential (TWIC) program, which keeps biometric information and credentials 
for over two million longshoremen, truckers, port employees, mariners and others. 


Sensitive databases protected by weak or default passwords. At NPPD, which 
oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak 
passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster 
deployment readiness and generates other reports accessing Personally Identifying Information 
(PID," the IG found accounts protected by “default” passwords, and improperly configured 
password controls. "$ 


Computers controlling physical access to DHS facilities whose antivirus software 
was out of date. Twelve of the 14 computer servers the IG checked in 2012 had anti-virus 
definitions most recently updated in August 2011. Several of the servers also lacked patches to 
critical software components. 


Websites with known types of vulnerabilities which could allow a hacker to hijack 
user accounts, execute malicious scripts, or access sensitive information.” Public websites 
for CBP, FEMA, ICE and even NPPD, home of US-CERT held flaws which could allow 
unauthorized access, the IG found in 2012. Notably, several vulnerabilities were found in the 


DHS website “Build Security In" (http://www.buildsecurityin.us-cert.gov).?! DHS developed the 


site to encourage software developers “to build security into software in every phase of its 
development."? 


Poor physical and information security. Independent auditors physically inspected 
offices and found passwords written down on desks, sensitive information left exposed, unlocked 


 ITDashboard, “TSA — Transportation Worker Identification Credential (TWIC)," 
http://www.itdashboard. gov/investment?buscid=170; TWIC Deployment Website, 
http://www.twicinformation.com/twicinfo/, accessed January 13, 2014; information provided by DHS Office of | 
Inspector General. 

6 Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the 
organization’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards 
and Technology. NIST, “Guide to Enterprise Password Management (Draft), Special Publication 800-118,” April 
2009, http://csrc.nist. gov/publications/PubsDrafts.html4SP-800-1 18, accessed January 13, 2014. 


17 “Privacy Impact Assessment for the Operational Data Store (ODS) and Enterprise Data Warehouse (EDW)," 
June 29, 2012, http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia fema ods edw 20120629.pdf, accessed 
January 13, 2014. 

18 Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 

1? Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 

°F valuation of DHS’ Information Security Program for Fiscal Year 2012,” DHS Office of Inspector General, 


October 2012, http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_ 13-04 Octl2.pdf, accessed January 13, 2014. 
?! Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 


2 «Build Security In," https://buildsecurityin.us-cert.gov/bsi/home.html, accessed January 13, 2014. 
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laptops, even credit card information. To take just one example, weaknesses found in the office 
of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For 
Official Use Only) documents left out, three keys, six unlocked laptops — even two credit cards 
left out. | 





? «Information Technology Management Letter for the Immigration and Customs Enforcement Component of 
the FY 2012 Department of Homeland Security Financial Statement Audit,” DHS Office of Inspector General, April 


2013, http://www.oig.dhs.gov/assets/M gmt/2013/OIG 13-60 Apr13.pdf, accessed January 13, 2014. 
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Nuclear Regulatory Commission 


The Nuclear Regulatory Commission (NRC) maintains volumes 
sensitive, detailed documentation on nuclear facilities. The design and 
security plans of every nuclear reactor, waste storage facility, and uranium 
processing facility in the United States; records on every individual licensed 
to operate or supervise nuclear reactors; and information on the design and 
process of nuclear material transport all live on the NRC’s systems. 





E 
aR oo ae 
Unauthorized disclosure of such sensitive, non-public information “could result in 
damage to the Nation’s critical infrastructure,” including nuclear power plants, according to the 
NRC’s Inspector General.” Unfortunately, the NRC regularly experiences unauthorized 
disclosures of sensitive information, or fails to apply adequate measures to protect that data. 


Perceived ineptitude of NRC technology experts. There is such “a general lack of 
confidence” in the NRC’s information technology division that NRC offices have effectively 
gone rogue — by buying and deploying their own computers and networks without the knowledge 
or involvement of the department’s.so-called IT experts. Such “shadow IT” systems “can 
introduce security risks when unsupported hardware and software are not subject to the same 
security measures that are applied to supported technologies,” the NRC Inspector General 
reported in December 2013. ^ 


Sensitive data stored on unsecured shared drive. NRC workers improperly stored and 
shared sensitive information on an unsecured network drive, according to a 2011 audit. Among 
the inappropriate data found on the drive: details on nuclear facilities" cybersecurity programs; 
information on security at fuel cycle facilities; and a Commissioner's passport photo, credit card 
image, home address and phone number." 


Failure to report security breaches. How often does the NRC lose track of or 
accidentally expose sensitive information to possible release? The NRC can't say, because it has 
no official process for reporting such breaches. Many involve electronic data stored on the 
Commission's computers. Of the 95 security lapses which NRC personnel did report between 
2005 and 2011, at least a third appear to involve NRC's IT systems." 


Inability to keep track of computers. The NRC has had trouble keeping track of its 
laptop computers, including those which access sensitive information about the nuclear sites the 


24 «Semiannual Report to Congress," Nuclear Regulatory Commission Office of the Inspector General, 
September 30, 2012, http://www.nre. gov/reading-rm/doc-collections/nuregs/staff/sr1415/v25n2/sr1415v25n2.pdf, 
accessed January 13, 2014. l 

= “Audit of NRC’s Information Technology Governance,” Nuclear Regulatory Commission Office of the 
Inspector General, December 9, 2013, pp. i, 8, http://pbadupws.nre.gov/docs/ML1334/ML13343A244. pdf, accessed 
January 13, 2014, 

26 « Audit of NRC's Shared “S” Drive,” Nuclear Regulatory Commission Office of the Inspector General, July 
27, 2011, http://pbadupws.nrc. gov/docs/ML1120/ML112081653.pdf, accessed January 13, 2014. 


. 7 «Audit of NRC’s Protection of Safeguards Information," Nuclear Regulatory Commission Office of the 


Inspector General, April 16, 2012, http://pbadupws.nrc.gov/docs/ML1210/ML12107A048.pdf, accessed January 13, 
2014. 
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commission regulates.^* Confusion over laptops’ documentation and authorization “could lead to 
unauthorized use of NRC resources or release of sensitive information," the NRC OIG warned in 
2012.” 


General Sloppiness. Federal guidelines are clear: when an agency identifies a weakness 
in its IT security, officials must record the problem, find a way to fix it, and assign themselves a 
deadline for completion. As officials make progress and the weakness is eventually remedied, 
officials are supposed to update their records. Without that basic system in place, neither the 
agency nor the administration can tell if vulnerabilities are being addressed. 


Yet just about every aspect of that process appears to be broken at the NRC. Problems 
were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes 
were recorded as complete when they were not. In 2012, the IG reported the NRC was “not 
effective at monitoring the progress of corrective efforts relative to known weaknesses in IT 
security controls." Last November, a year later, the IG found that nothing had changed, and 
that the NRC's efforts “are still not effective at monitoring the progress of corrective efforts .. 
and therefore do not provide an accurate measure of security program effectiveness"?! 


? «Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 
(FISMA) for Fiscal Year 2012," Nuclear Regulatory Commission Office of the Inspector General, November 8, 
2012, „PP. 5-6, http://pbadupws.nre.gov/docs/ML1231/ML12313A195.pdf, accessed January 13, 2014. 

? “Information of Security Risk Evaluation of Region II — Atlanta, GA,” Nuclear Regulatory Commission 
Office of the Inspector General, August 27, 2012, p. 10, http://www.nre. gov/reading-rm/doc- -collections/insp- 


gen/201 2/oig-12-a-17.pdf, accessed January 13, 2014. 
3 “Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 


(FISMA) for Fiscal Year 2012," Nuclear Regulatory Commission Office of the Inspector General, November 8, 
2012, http://pbadupws.nrc. gov/docs/ML1231/ML12313A195.pdf, accessed January 13, 2014. 

i "Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act for 
Fiscal Year 2013," Nuclear Regulatory Commission Office of Inspector General, November 22, 2013, 


http://pbadupws.nrc.gov/docs/ML1332/ML13326A090.pdf, accessed January 13, 2014. 
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Internal Revenue Service 


The Internal Revenue Service (IRS) collects federal taxes owed by 
any person or business in the United States, and its computers hold more 
sensitive data on more Americans than those of perhaps any other federal 
component. In addition to traditional records on employment, income and 
identifier information, the IRS reportedly collects a huge volume of 
personal information on Americans’ credit card transactions, eBay 
activities, Facebook posts and other online behavior.” 





Unfortunately, the IRS has struggled with the same serious cybersecurity issues for years, 
and has moved too slowly to correct them. 


The IRS’ internal watchdog, the Treasury Inspector General for Tax Administration 
(TIGTA), believes data security is the most serious management challenge facing the IRS.” For 
years, the Government Accountability Office (GAO) has also warned IRS its computers are not 
safe — that in fact, they are dangerously vulnerable to intrusion and data theft." 


Every year since 2008, GAO has identified about 100 cybersecurity weaknesses at the 
IRS which compromise the agency's computers and data, often repeating weaknesses it cited the 
previous year." Every year, the IRS claims to fix about half of them, but GAO says even those 
disappointing numbers aren't right, because IRS doesn't confirm the actions they take actually 
fix the problems." And every year, GAO returns and finds around 100 problems with IRS’ 
cybersecurity.” 


Fails to encrypt sensitive data. IRS routinely fails to encrypt its data — converting 
sensitive data into complex code, making it difficult to read without a key to de-encrypt the 


#2 Satran, Richard, “IRS High-Tech Tools Track Your Digital Footprints,” U.S. News and World Report, April 4, 
2013, http://money.usnews.com/money/personal-finance/mutual-funds/articles/2013/04/04/irs-high-tech-tools-track- 
your-digital-footprints, accessed January 13, 2014. | 

33 «Management and Performance Challenges Facing the Internal Revenue Service for Fiscal Year 2014,” 
Treasury Inspector General for Tax Administration, November 8, 2013, 

http://www.treasury.gov/tigta/management/management fy2014.pdf, accessed January 13, 2014. 

%4 «INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, March 2013, http://www.gao.gov/assets/660/653086.pdf, accessed January 13, 
2014; "INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial Reporting and 
Taxpayer Data,” Government Accountability Office, March 2012, http://www.gao. gov/assets/590/589399.pdf, 
accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs to Enhance Internal Control over Financial 
Reporting and Taxpayer Data,” Government Accountability Office, March 2011, 
http://www.gao.gov/assets/320/316569.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs 
to Continue to Address Significant Weaknesses," Government Accountability Office, March 2010, 
http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; “INFORMATION SECURITY: Continued Efforts 
Needed to Address Significant Weaknesses at IRS," Government Accountability Office, January 2009, 
http://gao.gov/assets/290/284722.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs to 
Address Pervasive Weaknesses," Government Accountability Office, January 2008, 
http: gao. gov/assets/280/270917.pdf, accessed January 13, 2014. 

35 Tbid. 

3 Thid. 
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information — or it encrypts the data so weakly that it can be easily decoded.?* Since at least 
2009, GAO has repeatedly identified instances where IRS did not properly encrypt sensitive data 
including tax, accounting, and financial information, as well as usernames and passwords. 
Failing to encrypt or weakly encrypting those data makes it easier for a malicious actor to 
download, view, and possibly even change taxpayer information and IRS systems. ^? 


Lousy user passwords. In March 2013, GAO reported that IRS allowed its employees to 
use passwords that "could be easily guessed." Examples of easily-guessed passwords are a 
person's username or real name, the word “password,” the agency's name, or simple keyboard 
patterns (e.g., “qwerty”), according to the National Institute of Standards and | Technology. ^ In 
some cases, IRS users had not changed their passwords in nearly two years.” As a result 
someone might gain unauthorized access to taxpayers’ personal information and it “would be 
virtually undetectable,” potentially for years." GAO has cited IRS for allowing old, weak 
passwords in every one of its reports on IRS’ information security for the past six years. 


Officials don't properly fix known vulnerabilities. IRS employees monitored its 
computers by running programs which flagged vulnerabilities in equipment and software, but 





38 «INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, March 2013, p. 10, http://www.gao.gov/assets/660/653086.pdf, accessed 
January 13, 2014; "INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial 
Reporting and Taxpayer Data," Government Accountability Office, March 2012, p. 9, 

http://www.gao.gov/assets/590/589399.pdf, accessed January 13, 2014; "INFORMATION SECURITY: IRS Needs 
to Enhance Internal Control over Financial Reporting and Taxpayer Data," Government Accountability Office, 
March 2011, p. 9, http://www.gao.gov/assets/320/31 6569 pdf, accessed January 13, 2014; “INFORMATION 
SECURITY: IRS Needs to Continue to Address Significant Weaknesses," Government Accountability Office, 
March 2010, p. 9, http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
Continued Efforts Needed to Address Significant Weaknesses at IRS," Government Accountability Office, January : 
2009, p. 11, http://www.gao. gov/assets/290/284722.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
IRS Needs to Address Pervasive Weaknesses," Government Accountability Office, January 2008, p. 12, 

http: www. ‚gao.gov/assets/280/270917.pdf, accessed January 13, 2014. 

Ibid. 
“NIST, “Guide to Enterprise Password Management (Draft), Special Publication 800-118,” April 2009, 

http://csrc.nist.gov/publications/drafts/800-1 1 8/draft-sp800-118.pdf, accessed January 13, 2014. 

^! «INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, pp. 7-8, March 2013, http://www.gao.gov/assets/660/653086.pdf, accessed 
J anuary 13, 2014. 

? Thid. 

43 Ibid; "INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial 

Reporting and Taxpayer Data,” Government Accountability Office, March 2012, p. 7, 

http://www.gao.gov/asséts/590/589399.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs 
to Enhance Internal Control over Financial Reporting and Taxpayer Data,” Government Accountability Office, 
March 2011, p. 7, http://www.gao.gov/assets/320/316569.pdf, accessed January 13, 2014; “INFORMATION 
SECURITY: IRS Needs to Continue to Address Significant Weaknesses,” Government Accountability Office, 
March 2010, p. 7, http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; "INFORMATION SECURITY: 
Continued Efforts Needed to Address Significant Weaknesses at IRS," Government Accountability Office, January 
2009, p. 10, http://www.gao.gov/assets/290/284722.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
IRS Needs to Address Pervasive Weaknesses," Government Accountability Office, January 2008, p. 10, 


http://www.gao.gov/assets/280/270917.pdf, accessed January 13, 2014. 
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then failed to fix the issues. As a result, scans repeatedly flagged the same vulnerabilities “for 
two or three consecutive months.” 


Dangerously slow to install crucial software updates and patches. In March 2012, IRS 
computers had 7,329 "potential vulnerabilities" because critical software patches had not been 
installed on computer servers which needed them.” At one point in 2011, over a third of all 
computers at the IRS had software with critical vulnerabilities that were not patched. ^6 IRS 
officials said they expect critical patches to be installed within 72 hours. But TIGTA found it 
took the IRS 55 days, on average, to get around to installing critical patches." Most recently, in 
September 2013, TIGTA re-affirmed that the IRS still “has not yet fully implemented a process 
to ensure timely and secure installation of software patches." ^ 





^ «Federal Information Security Management Act Report for Fiscal Year 2012,” Treasury Inspector General for 
Tax Administration, September 28, 2012, pp. 7-8, 


http://www. treasury.gov/tigta/auditreports/20] 2reports/2012201 14fr.pdf, accessed January 13, 2014. 


^5 «Federal Information Security Management Act Report for Fiscal Year 2012,” Treasury Inspector General for 
Tax Administration, September 28, 2012, http://www.treasury.gov/tigta/auditreports/2012reports/2012201 ] 4fr.pdf, 
accessed January 13, 2014. : 

^5«Federal Information Security Management Act Report for Fiscal Year 2012," Treasury Inspector General for 
Tax Administration, September 28, 2012, p. 7, 
http://www.treasury.govitigta/auditreports/20 12reports/201220114fr.pdf, accessed January 13, 2014. 

“7 « An Enterprise Approach Is Needed to Address the Security Risk of Unpatched Computers," Treasury 
Inspector General for Tax Administration, September 25, 2012, p. 10, 
http//www.treasury.gov/tigta/auditreports/2012reports/2012201 12fr.pdf, accessed January 13, 2014. 

“ «Federal Information Security Management Act Report for Fiscal Year 2013," Treasury Inspector General for 
Tax Administration, September 27, 2013, p. 7, 


http://www.treasury. gov/tigta/auditreports/20 1 3reports/2013201 26fr.pdf, accessed January 13, 2014. 
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Department of Education 


The Department of Education holds and manages $948 
billion in student loans made to more than 30 million borrowers. 
The Department’s computers hold volumes of information on 
those borrowers — loan applications, credit checks, repayment 
records and more. ? 
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Given the mammoth store of sensitive information the 
department keeps, it is disappointing that its Inspector General has 
said there is little assurance that sensitive data has not been altered 
or stolen from the computer systems which undergird its lending program.?? 






"[T]he Department's information is vulnerable to attacks that could lead to a loss of 
confidentiality," the IG concluded. “Also, there is increased risk that unauthorized activities ... 
could reduce the reliability and integrity of Department systems and data.^?! 


No review for malicious activity. The Education Department provides remote access to 
student financial data to Department officials who are off-site or teleworking. Those remote 
access accounts can be easily compromised by hackers, who use keylogger malware to steal 
login information from official's computers by secretly recording their keystrokes. 


In 2011 and 2012, The Education Department's Federal Student Aid (FSA) office 
reported 819 compromised accounts. In only 17 percent of those cases did the Department 
review activity for those accounts to see whether any malicious activity had occurred." 
Although the financial data is maintained by outside contractors, some of the Department's 
contracts for those services don’t ensure it has access to audit logs for this purpose.” 


In fact, the Education Department failed to ensure the contractor properly protected 
borrowers' sensitive personal and financial information; adequately configured their systems 





“ U.S. Department of Education, Office of Federal Student Aid, Annual Report 2012, p. 2, 


http:/www?.ed.gov/about/reports/annual/2012report/fsa-report.pdf, accessed January 13, 2014. 


°° Inspector General Tighe testimony before the House Oversight and Government Reform Committee, March 
5, 2013, pages 10-11, http://cq.com/doc/testimony-423083 8#testimony, accessed January 13, 2014. 

5! «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of . 
2002 for Fiscal Year 2012," Office of Inspector General, Department of Education, November 2012, p. 9, 
http://www2.ed.gov/about/offices/list/oig/auditreports/fy2013/al1m0003.pdf, accessed January 13, 2014. 

$? «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012,” Office of Inspector General, Department of Education, November 2012, p. 10, 
http://www2.ed.gov/about/offices/list/oig/auditreports/fy2013/al 1m0003.pdf, accessed January 13, 2014. 

^5 «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012," Office of Inspector General, Department of Education, November 2012, p. 11, 


http://www2.ed.gov/about/offices/list/oig/auditreports/fy2013/a1 1m0003.pdf, accessed January 13, 2014. 
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with security measures; identified and corrected flaws in their IT system; or adequately managed 
configuration settings and patching updates.” 


Unsecure networks. Stealing login data wasn’t the only way for hackers to potentially 
compromise the Department's network infrastructure. In 2011, 2012 and 2013, auditors were 
able to connect a “rogue” computer and other hardware to the Education Department's networks 
without being noticed. This same access could allow a hacker to drop into the network 
environment behind the firewalls and other perimeter security.” 


In June 2013, when its auditors succeeded with this same "rogue" penetration test, they 
were even able to access sensitive data stored in the department's networked printers “which 
could be used in a possible social engineering attack.” ^ 


Vulnerable user accounts. Hundreds of user accounts employed passwords that had not 
been changed for over 90 days, and many which had not been changed in over a year, the 
Inspector General found. The Department also failed to deactivate accounts which had been 
dormant for 90 days. Both are violations of the Department's own policies, meant to protect 
against unauthorized access by malicious actors, including hackers and ex-employees.”’ Also, 
while the Department had distributed authentication tokens to many of its employees — which is 
required by DHS and OMB guidance — fewer than half were activated for use, the OIG found.” 





M "Security Controls for Data Protection over the Virtual Data Center (Plano, TX)," Office of Inspector 
General, Department of Education, September 2010, p. 2, 
http//www2.ed.gov/about/offices/list/oig/auditreports/fy2010/a11j0006.pdf, accessed January 13, 2014. 

? «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012," Office of Inspector General, Department of Education, November 2012, p. 8, 
http://www2.ed. gov/about/offices/list/oig/auditreports/fy2013/al 1m0003.pdf, accessed January 13, 2014. 

55 «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, p. 10. 
http://www? .ed.gov/about/offices/list/oig/auditreports/fy2014/al 1n0001.pdf, accessed January 13, 2014. 

57 «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, pp. 12-13, 
http://www2.ed.gov/about/offices/list/oig/auditreports/fy2014/a1 1n0001.pdf, accessed January 13, 2014. 

58 «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, p. 24, 


http://www2.ed.gov/about/offices/list/oig/auditreports/fy2014/a11n0001.pdf, accessed January 13, 2014. 
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Department of Energy 


The many agencies and offices of the sprawling Department of 
Energy touch nearly every aspect ofthe nation’s energy infrastructure, 
from generation to transmission and transportation, commercial 
exchange, research and more. Given how critical its operations are to the 
national economy and security, one might expect its technology to be 
more securely protected than most other agencies. 





Instead, a close inspection shows the Energy Department’s cybersecurity suffers from 
many of the same basic vulnerabilities and weaknesses found at other federal institutions, which 
increase the risk that the department's systems could be hacked, and even brought down.?? 
Indeed, in January 2013 hackers reportedly compromised 14 servers and 20 workstations, and - 
made off with personal information on hundreds of government and contract employees, and 
possibly other information.‘ And last July, hackers made off with personal information for 
104,000 past and present employees.*! 


Widespread weaknesses at power distribution agency. In October 2012, the Energy IG 
released an alarming report on cybersecurity weaknesses at the Western Area Power 
Administration, which markets and delivers wholesale electricity to power millions of homes and 
businesses through 15 central and western states. “Nearly all" of the 105 computers tested had at 
least one out-of-date patch; a public-facing server was configured with a default name and 
password, which “could have allowed an attacker with an Internet connection to obtain 
unauthorized access to an internal database supporting the electricity scheduling system." What's 
more, officials at the agency “did not always identify and correct known vulnerabilities." One 
reason the IG cited: although officials ran vulnerability checks on their IT systems, they ran “less 
intrusive" scans so as not to slow overall system performance. But those lightweight scans 
sometimes missed significant weaknesses.” 


Weak usernames, passwords, and other access controls. The Energy Department's 
Inspector General found during a 2012 review over a quarter of the sites examined had weak 





°° «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 2-3, http://energy. gov/sites/prod/files/IG-0877.pdf, accessed 
January 13, 2014. 
60 Perlroth, Nicole, "Energy Department Is the Latest Victim of an Online Attack," New York Times, February 
: : .com/2013/02. li k/ 





accessed January 13, 2014: 
6! Goodin, Dan, “How O made minea meat out of the Department of Energy networks,” Ars Technica, 


Dec. 16, 2013, h 





networks/, accessed January 13, 2014. 
62 « Audit Report: Management of Western Area Power Administration's Cyber Security Program," Department 


of Energy Office of the Inspector General, October 2012, pp. 1-2, http://energy.gov/sites/prod/files/1G-0873.pdf, 
accessed January 13, 2014. 
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access controls. The problems included weak usernames and passwords; accounts with improper 
access; and a server with insufficient security to prevent it from being remotely controlled.9? 


Failure to apply critical patches and updates to software. In 2013, the IG found that 
41 percent of the Department's desktop computers auditors examined were running operating 
systems or applications which had known vulnerabilities that were not patched, even though the 
software developers had made patches available.™ In 2012, the IG's team found 41 network 
servers running operating systems that were no longer supported by the developer, meaning that 
even when vulnerabilities were discovered in the system, no patch would be made available.” 


Vulnerable web applications. Several Department web applications had weak security, 
increasing the risk a hacker could gain unauthorized access to sensitive systems and obtain 
information, add or change data, or inject flaws or malicious code, the IG found. The 
weaknesses included the sorts which are considered the most commonly exploited vulnerabilities 
for web applications. 


Unprotected servers. Eleven servers checked by the OIG last year had no password 
protections or default/weak passwords, meaning an attacker could gain access to the systems, 
and could use them to attack other systems on the Department's network. One of the 
unprotected machines the OIG found was a payroll server, which was configured to allow remote 
access to anyone, without a username or password.°” 





63 «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 2-3, http://energy.gov/sites/prod/files/1G-0877.pdf, accessed 
January 13, 2014. 

* «Evaluation Report: The Department of Energy's Unclassified Cyber Security Program — 2013," Department 
of Energy Office of the Inspector General, October 2013, http://energy.gov/sites/prod/files/2013/11/f4/1G-0897.pdf, 
accessed January 13, 2014. 

$ «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012,” Department of Energy 
Office of the Inspector General, November 2012, pp. 3-4, http://energy.gov/sites/prod/files/IG-08 77.pdf, accessed 
January 13, 2014. 

$6 «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 4-5, http://energy.gov/sites/prod/files/IG-0877.pdf, accessed 
January 13, 2014. 

*' «Evaluation Report: The Department of Energy's Unclassified Cyber Security Program — 2013," Department 


of Energy Office of the Inspector General, October 2013, http://energy.gov/sites/prod/files/2013/1 1/f4/1G-0897.pdf, 
accessed January 13, 2014. 
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Securities and Exchange Commission 


Over the last two decades, financial markets have become 
increasingly reliant on technology to handle the expanding volume of their 
business. Today, exchanges like the New York Stock Exchange process 
millions of trades a day electronically. 





; In response, the Securities and Exchange Commission (SEC) 
developed a dedicated team within its Trading and Markets Division to keep an eye on how 
markets build and manage key trading systems. Among the division's duties is ensuring markets 
safeguard their systems from hackers and other malicious cyber intruders. 


But a 2012 investigation into the team found conduct which did not reflect a concern for 
security. Team members transmitted sensitive non-public information about major financial 
institutions using their personal e-mail accounts.°® They used unencrypted laptops to store 
sensitive information, in violation of SEC policy — and contravening their own advice to the 
stock exchanges.” Their laptops also lacked antivirus software.” The laptops contained 
“vulnerability assessments and maps and networking diagrams of how to hack into the 
exchanges," according to one SEC official.” 


The investigation also found that members of the team took work computers home in 
order to surf the web, download music and movies, and other personal pursuits.” They also 
appeared to have connected laptops containing sensitive information to unprotected wi-fi 
networks at public locations like hotels — in at least one reported case, at a convention of 
computer hackers.” | 





. * “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, http://www.sec-oig.gov/Reports/OOI/2012/OIG-55 7.pdf, accessed June 10, 2013; Lynch, Sarah N., “U.S. 


SEC staffers used govn’t computers for personal use,” November 9, 2012, 
http://www.reuters.com/article/2012/1 1/09/sec-cyber-report-idUSL1E8M9CMI120121109, accessed January 13, 
2014. 

ia Lynch, Sarah N., “EXCLUSIVE: SEC left computers vulnerable to cyber attacks," Reuters, November 9, 
2012. 

” “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, p.3, http://www.sec-oig.gov/Reports/OOI/2012/0IG-557.pdf, accessed January 13, 2014. 


a Lynch, Sarah N., “NYSE hires ex-homeland security chief after SEC security lapse,” Reuters, November 16, 


2012, http://www.reuters.com/article/2012/11/1 6/sec-cyber-nyse-idUSL1E8MG95K20121116, accessed January 13, 


2014. . 
2 “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, p.24, http://www.sec-oig.gov/Reports/OO1/2012/OIG-557.pdf, accessed January 13, 2014. 


? Lynch, Sarah N., “U.S. SEC staffers used govn’t computers for personal use,” November 9, 2012, 


http://www.reuters.com/article/2012/] 1/09/sec-cyber-report-idUSL1 ESM9CMI20121109, accessed January 13, 


2014. 
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The investigation also found that while SEC policy prohibited employees from accessing 
personal e-mail from web-based sites like Gmail, SEC officials in the division arranged to access 
an internet-connected network which did not block such sites.’* These employees also brought in 
their own personal computers and connected them to the SEC's network." And for a period of 
several months, the team’s network had no firewall or intrusion protection software running." € 
All of these practices increased the risk of introducing viruses and other malware to SEC 
computers, and potentially compromised sensitive data about the cybersecurity of securities 
exchanges, not to mention the SEC's own protections.” 


f “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.31, http://www.sec-oig.gov/Reports/OOI/2012/0IG-557.pdf, accessed January 13, 2014. 

P “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.35, http://www.sec-oig.gov/Reports/O01/2012/O1G-557.pdf, accessed January 13, 2014. 

us "Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.34, http://www.sec-oig.gov/Reports/OOI/2012/OIG-557.pdf, accessed January 13, 2014. 

3" "Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.30, http://www.sec-oig.gov/Reports/OOI/20] 2/01G-557.pdf, accessed January 13, 2014. 
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Dokument 2014/0088628 
Von: Treib, Heinz Jürgen 
Gesendet: Mittwoch, 19. Februar 2014 17:13 
An: . Meißner, Alexander 
Cc: Dürig, Markus, Dr.; IT3 ; ReglT3; Mantz, Rainer, Dr. 
Betreff: WG: NIST-Framework 


Meine Bewertung würde ich in eine Wortfassen wollen: ,showpiece"! 


M.E. ist das allenfalls hilfreich, wenn es darum geht, zu zeigen, dass die Diskussion auch in der 
Industrienation USA geführt wird. 


In der Vergangenheit ist es das BMWi gewesen, das da -euphemistisch ausgedrückt- mit Blick auf den 
2013 ITSiG Entwurf nurgebremsten Eifer an den Tag gelegt hat. Mit dem US Cyber Framework sehen wir 
nun, was hilfsweise auf Grund der US Presidential Executive Order im Ergebnis herausgekommen ist, 
nachdem ein Gesetz „Cyber Bill“ 2012 im Kongress gescheitert war: Demokraten konnten sich nicht 
gegen Republikaner mit von der Industrie als Belastung angesehen Regelungen und 
Kompetenerweiterungen für das Heimatschutzministerium (DHS) durchsetzen. In der letzten LP haben 
wir das -soweit ich das aus dem „Off“ beurteilen kann - in DEU sozusagen „in Lightversion" erfahren. 


Tatsáchlich sehen wir m.E. wie in den USA die ambitionierten Ideen mit einem wohlklingenden 
gleichermaßen umfangreichen wie unverbindlichen „Framework“ quasi verdampfen. Ich habe hierzu mal 
meine Notizen aus dem Gesprách von Frau St'n RG mit M. Daniel (Abendessen nach BKA-Tagung im Nov. 
2013) gesichtet. Dasich eigentlich seit Nov. 2013 nichts geändert hat, können wir uns an M. Daniels 
durchaus aussagekräftigen Aüßerungen auf unsere Nachfragen orientieren. 


Man kann das im Einzelnen wiefolgt verdichten: 


1. 
Regulierungsansätze im Bereich IT-Sicherheit: 

è IndenUSA ist keine ganzheitliche IT-Sicherheitsgesetzgebung geplant. 

à Ggf. sind kleinere Gesetzesänderungen im Rahmen bestehender Gesetze denkbar („smaller 
legislative packages"). | 

e USAsetztaufFreiwilligkeit „voluntary route, PPP“! 

e Dieser Fokus soll es ermöglichen, von A (Erstellung eines Frameworks) nach B (Übernahme des 
Frameworks) voranzugehen „Proceed from A to B" (Zitat M. Daniel). 

e Hinsichtlich Anreizen soll über Cybe r-Sicherheitsversicherungen „Cyber secrurity insurances” 
nachgedacht, es würde auch über Bewertungs-/Untersuchungsverfahren und Anhörungen 
nachgedacht „assessment, audit“. 

e Das „Framework“berücksichtigeinternational aufgestellte Unternehmen. Führende 
Unternehmen sollten herauskristallisiert werden „international companies, lead companies to be 
figured out“. 


e Vom, Framework“ wird erwartet, dass es Standards anstößt „drive standards" 
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e DEU Replik dazu: Freiwilligkeitsansatz sei interessant, DEU Erfahrung lehre aber, dass man nicht 
nur darauf setzen könne u. eine Meldepflicht für Vorfälle sei notwendig, wobei Bedenken 
hinsichtlich Wettbewerbsnachteilen für betroffene Unternehmen zurücktreten müssten. 

e US-Ansicht dazu wiederum: 

o Freiwilligkeit schaffeeine Atmosphäre, die es erlaube, hilfreiche Einblicke zü gewinnen. 

o Die Unternehmen seien aufgeschlossen für Meldungen „reporting“. Jedoch gelte der 
Grundsatz, dass die Kunden inerster Linie benachrichtigt werden und die Regierungerst 
in zweiter Linie. 

o Das Problem einer Meldepflicht liege in den Details, z.B. und insb. das Erreichen der 
Schwelle, die eine Meldepflicht auslöst „threshold“ | | 

® | e Herr ITD bemerkt, dass DEU sich international anerkannte Standards wünscht und DEU beim US - 
Framework die erforderliche Konkretheit vermisst. 

e Herr Daniel stimmt dem gewissermaßen zu „is not specificenough". Rechtfertigend: US- 
Bedenken rankten sich um Etablierung von , Minimumstandards". Es gebe durchaus 
Unternehmen, die hohe Standards haben. Es bestünde die Gefahr, dass diese durch 
Miniumumstandards heruntergeschraubt werden. 

e Stn RG bemerkt, dass nach DEU Erfahrung diejenigen Branchen über die besten 

| Sicherheitsstandards verfügen, diebereits reguliert sind. 
e M Daniel weist auf die Notwendigkeit von Notfall- und Ausweichplänen hin, die ausgetestet 


werden müssten „testing back-up capability“. 


e Internetwirtschaft als kritische Infrastruktur: 
| e ITD stelltdie Frage hinsichtlich der Betrachtung der Internetwirtschaft als kritische Infrastruktur 
und Regulierungsbedarf. 

e M Daniel erläutert hierzu, die US-Situation mit strikten staatlichen Regelungen im Bereich der 
Sprachtelefonieim Gegensatz zum Internet, wo Netzneutralität „net neutrality” gelte. Z.B. AT&T 
und Verizonals große Unternehmen wären gut aufgestellt und die kleineren Firmen 
kónnten/müssten von diesen lernen. Federal Trade Commission (FTC) hätte sich nicht 
entschließen können, ISPs zu regulieren. 

. Christopher Painter (Cyber Coordinator im DoS) merkt dazu an, dass US ISPs hierz.T. von DEU 


gelernt hätten („Net Cologne...early adopter...Sandbox"). 
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e Man sehe auch das Problem, dass Regulierungen beischnellen technologischen 


Entwicklungszyklen stets hinterherhinkten ,regulation is behind". 
Herzliche Grüße 


Jürgen Treib 


Von: Dürig, Markus, Dr. | 
Gesendet: Mittwoch, 19. Februar 2014 13:51 

An: Meißner, Alexander; Treib, Heinz Jürgen; RegIT3 
Cc: Mantz, Rainer, Dr. 

Betreff: WG: NIST-Framework 


Lieber Herr Treib, 
bitte Kurzauswertung. 
Lieber Herr Meissner, 
„Honig“ für das IT-SiG? 
BG MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 


Von: Strahl, Claudia 

Gesendet: Donnerstag, 13. Februar 2014 16:39 
An: Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Betreff: WG: NIST-Framework 


Eingang Postfach IT3 zur Kenntnis bzw. zur weiteren Verwendung 


Strahl 


Von: Vogel, Michael, Dr. 
Gesendet: Donnerstag, 13. Februar 2014 16:25 
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An: IT3_ 
Cc: Stöber, Karlheinz, Dr.; Klee, Kristina, Dr.; Krumsieg, Jens; Schallbruch, Martin; BSI grp: GPReferat B 
24; Vorzimmerpvp 
Betreff: NIST-Framework 
Liebe Kollegen, 
anbei übersendeich Ihnen einen Kurzbericht zum gestern veróffentlichten Cybersecurity Framework. 


Beste Grüße 


Michael Vogel 


mM Do D [) 


VB BMI DHS Anlage Anlage 1 cybers... Anlage 3 Fed-C... 
56. NIST-Framew...2 roadmap-0212... 
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Anhang von Dokument 2014-0088628.msg 


1. VB BMI DHS 56_NIST-Framework.docx 

. 2. Anlage 2 roadmap-021214.pdf 
3. Anlage 1, cybersecurity-framework-021214-final.pdf 
4. Anlage 3 Fed-Cyber-Report-Feb-4-2014.pdf 


3 Seiten 
9 Seiten 
41 Seiten 


19 Seiten 
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VB BMI DHS 12.02.2014 
Cybersecurity in den USA 


Zusammenfassung 


‘NIST-,,Cybersecurity Framework” 


NIST hat sein sog. „Cybersecurity Framework“ (CF) vorgestellt. 

Nach summarischer Durchsicht scheint es sich nicht grundsätzlich von dem 2013 
zur Diskussion gestellten Entwurf zu unterscheiden. 

Das CF ist weiterhin als freiwillige Handreichung zur kritischen Selbstprüfung von 
Unternehmen und „lebendiges Dokument“ konzipiert. 

Herzstück bleibt die Darstellung der verschiedensten in der Wirtschaft gebräuchli- 
chen Standards und Best Practices mit folgenden fünf Kembereichen: 

e klentify — Identifikation der zu schützenden Systeme etc. 

e Protect -Absicherungen um KRITIS-relevante Dienstleistungen zu sichem 

e Detect - Erkennung von Cyber-Sicherheitszwischenfällen 

e Respond -Verfahren zur Abwehr derartiger Zwischenfallen 

e Recover -Verfahren, um Schäden/Beeinträchtigungen, die durch solche Zwi- 

schenfálle verursacht wurden, wieder zu beheben. 

Der bisher einzige Unterschied zum 2013-Entwurf besteht in der Streichung des 
Datenschutzteils. Nunmehr enthält das CF nur noch allgemein gehaltene Ausfüh- 
rungen zum Datenschutz, die potenzielle Anwender sensibilisieren sollen. 


Cybersicherheit innerhalb der US-Behórden 


e Ein Bericht von Senator Coburn (R-OK) über den Stand der Absicherung der MT- 
Systeme der US-Bundesregierung zeigt, das z T. erstaunlich mangelhafte 
Schutzniveau in Ministerien und Behörden, die für KRITIS-Schutz zuständig sind. 

e Aufgrund ungenügender Sicherheitsvorkehrungen (kein Update- oder Patch- 
Management, keine oder veraltete Virenschutzprogramme etc.) seien sensible Da- 
ten ungeschützt gewesen, abgeflossen und Cyberangriffe erleichtert worden. 





l. NIST-,,Cybersecurity Framework" 


Das NIST hat heute das sog. Cybereecurity Framework” (CF) veröffentlicht (s. Anlage 
1). Nach summarischer Durchsicht scheint es sich nicht grundsätzlich von dem 2013 zur 
Diskussion gestellten Entwurf zu unterscheiden (s. hierzu Bericht vom 04.09.2013). 


Insbesondere findet sich das Herzstück des CF wieder, d. h. die in fünf Kernbereiche 
untergliederte Darstellung der verschiedensten in der Wirtschaft gebräuchlichen Stan- 
dards und Best Practices ("Identify', "Protect", "Prevent", “Respond” und "Recover" ): 
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ə» Identify — Identifikation der zu schützenden Systeme, Daten, Fähigkeiten etc. — 
Priorisierung im Einklang mit den Unternehmensaufgaben - Festlegung eines 
entsprechenden Umsetzungsprozesses 

e Protect Entwicklung und Implementierung von Absicherungen um die Erbrin- 
gung von KRITIS-relevanten Dienstleistungen zu sichern. 

e Detect — Entwicklung und Implementierung von Verfahren zur Erkennung von 
Cyber-Sicherheitszwischenfállen | 

e Respond- Entwicklung und Implementierung von Verfahren um derartigen Zwi- 
schenfallen zu begegnen. 

e Recover - Entwicklung und Implementierung von Verfahren, um Schäden/ Be- 


eintráchtigungen, die durch Zwischenfälle verursacht wurden, wieder zu beheben. 


Es werden weiterhin keine neuen Standards geschaffen, sondern nur bestehende zu- - 
sammengefasst, ohne KRITIS-Betreiber zu deren Übemahme zu verpflichten.. 


Ebenso enthält das CF eine Methodologie, mit deren Hilfe Unternehmen sehen können, 
inwieweit sie die dort enthaltenen Standards schon erfüllen. 


Der einzige wirkliche Unterschied zu dem bislang veróffentlichten Entwurf besteht in der 
Streichung des Datenschutzteils. Stattdessen enthált das CF unter Ziffer 3.5 wie bereits 
im Bericht vom 31.01.2014 angekündigt allgemein gehaltene Ausführungen zum Daten- 
schutz, die potenzielle Anwender des CF für die datenschutzrechtlichen Implikationen 

. ihres Handelns sensibilisieren sollen. 


Wie Gespráche von VP BSI in der vergangenen Woche mit Think Tank-Vertretern und 
den Schlüssel-Staffem des Senatsausschusses für Homeland Security gezeigt haben, 
gehen die hiesigen Experten davon aus, dass das CF zwar keine unmittelbare Bin- 
dungswirkung erzeugt, allerdings wohl den Sorgfaltsmaßstab in Haftungsprozessen 
-mehr als nur unerheblich definieren wird und so indirekt zu einer Bindungswirkung führt. 
Sollte es darüber hinaus gelingen, wirkungsvolle Anreize (staatliche Beihilfen, bevorzug- 
ter Zugriff auf Risikoanalysen etc.) für die Übernahme von CF-Standards zu schaffen, 
kónnte dies weiteren Druck auf die Wirtschaft ausüben. Insofem kónnte sich das CF als 
intelligente Antwort auf den derzeitigen Gesetzgebungs-Patt erweisen und zumindest 
den IT-Grundschutz in der Privatwirtschaft in der Breite verstárken. 


Schließlich enthält das CF noch eine sog. Roadmap, die wichtigsten Bereiche der künf- 
tigen Entwicklung, Ausrichtung und Zusammenarbeit im Zusammenhang mit dem CF 
(Anlage 2). Das CF soll demnach u. a. in folgenden Bereichen fortentwickelt werden: 


Authentifizierung; automatisierter Austausch von Indikatoren zu Cyberzwischenfálle n; 
Cybersecurity Fachkräfte (Ausbildung, Gewinnung); Data Analytics; Intemationale Be- 
züge; Supply Chain Risk Management; Technische Datenschutzstandards. 
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Ii. Cybersicherheit innerhalb der US-Behórden 


Kurz vor Veróffentlichung des CF hat Senator Coburn (R-OK), Mitglied des Senatsaus- 
schusses für Homeland Security, einen Bericht über den Stand der Absicherung der IT- 
Systeme von Behórden, die für den Schutz von KRITIS zustándig sind, veróffentlicht 
(„The Federal Government's Track Record on Cybersecurity and Critical Infrastructure “: 
s. Anlage 3). 


Auf Grundlage óffentlich bekannt gewordener Cyberzwischenfálle bzw. nicht eingestuf- 
ter Prüfberichte der Innenrevision (Inspector General) verschiedener Behórden stellt 
Coburn erstaunliche Mängel beim IT-Grundschutz fest. Selbst hochsensiblen Stelen wie 
der Bórsenaufsicht, Bundessteuerbehórde dem Energieministerium oder gar der IT- 
Abteilung des DHS (NPPD) wurden gravierende Mángel im IT-Grundschutz attestiert. 
Untersucht wurden folgende Behórden 


e Department of Homeland Security 

e The Nuclear Regulatory Commission 
e intemal Revenue Service 

e Department of Education 

e Department of Energy — 

e Securities and Exchange Commission 


Dort wurden u. a. folgende Versáumnisse festgestellt: 


e Keinoder sehr mangelhaftes Update- bzw. Patch-Management 

e Unzureichende Passwortsicherheit in sensiblen Bereichen (Nutzung voreinge- 
stellter, leicht auszurechnender [z. B. ,qwertz'] oder stark veralteter Passwörter 
[älter als 90 Tage) 

e Veraltete oder gar keine Antivirus Software l 

e Speicherung sensibler Daten auf offenen Laufwerken/Datenbanken (z. B. Details 
über die Cybersicherheit von Kemkraftwerken oder ähnlichen Anlagen; Schwach- 
stellenanalyse zum Einbrechen in die Systeme der Börsen) 


Angesichts dieser Versäumnisse kommt Cobum zum Schluss, dass es zwar berechtigt 
sei, von KRITIS-Betreibern hohe Schutzstandards zu fordem. Vielfach trügen aber letzt- 
lich gerade Schwachstellen in Schlüsselstellen von Schlüsselbehörden der US- 
Regierung zur Gefährdung von KRITIS bei. 


Dr. Vogel 
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NIST Roadmap for Improving Critical Infrastructure Cybersecurity 
February 12, 2014 


1. Introduction 


This companion Roadmap to the Framework for Improving Critical Infrastructure 
Cybersecurity ("the Framework") discusses NIST's next steps with the Framework 
and identifies key areas of development, alignment, and collaboration. These plans 
are based on input and feedback received from stakeholders through the 
Framework development process particularly on the "Areas for Improvement" 
section of the Preliminary Framework, which has been moved to this document. 


2. Evolution of the Cybersecurity Framework 


Since Executive Order 13636 was issued, NIST has played a convening role in 
developing the Framework, drawing heavily on standards, guidelines, and best 
practices already available to address key cybersecurity needs. NIST also relied on 
organizations and individuals with experience in reducing cybersecurity risk and 
managing critical infrastructure. 


Moving forward, NIST is committed to help organizations understand and use the 
Framework. Organizations that are part ofthe critical infrastructure can use the 
Framework to better manage and reduce its cybersecurity risks. 


Not all critical infrastructure organizations have a mature program and the technical 
expertise in place to identify, assess, and reduce cybersecurity risk. Many have not 
had the resources to keep up with the latest cybersecurity advances and challenges 
as they balance risks to their organizations. NIST intends to conduct a variety of 
activities to help organizations to use the Framework. For example, industry groups, 
associations, and non-profits can be key vehicles for strengthening awareness of the 
Framework. NIST will encourage these organizations to become even more actively 
engaged in cybersecurity issues, and to promote - and assist in the use of - the 
Framework as a basic, flexible, and adaptable tool for managing and reducing 
Cybersecurity risks. NIST will build on existing relationships and expand its 
outreach in these areas, in partnership with the Department of Homeland Security's 
(DHS) Voluntary Program. 


The Framework was intended to be a "living document,” stating that it “will 
continue to be updated and improved as industry provides feedback on _ 
implementation. As the Framework is put into practice, lessons learned will be 
integrated into future versions. This will ensure it is meeting the needs of critical 
infrastructure owners and operators in a dynamic and challenging environment of 
new threats, risks, and solutions." 


NIST will continue to serve in the capacity of "convener and coordinator" at least 
through version 2.0 of the Framework. This will ensure that the Framework 
advances steadily and addresses key areas that need further development. 
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In the interest of continuous improvement, NIST will receive and consider 
comments about the Framework informally until it issues a formal notice ofrevision 
to version 1.0. At that point, NIST will specify a focus for comments and specific 
deadlines that will allow it to develop and publish proposed revisions in a timely 
and transparent fashion. 


NIST intends to hold at least one workshop within six months after the Framework's 
issuance to provide a forum for stakeholders to share experiences in using the 
Framework. NIST will also hold one or more workshops and focused meetings on 
specific Areas for Development, Alignment, and Collaboration. 


3. Strengthening Private Sector Involvement in Future Governance of the 
Framework 


Even as NIST continues to support and improve the Framework, it will solicit input 
on options for long-term governance of the Framework including transitioning 
responsibility for the Framework to a non-government organization. Any transition 
must minimize or prevent potential disruption for organizations that are using the 
Framework. 


The ideal transition partner (or partners) would have the capacity to work closely 
and effectively with international organizations, in light of the importance of 
aligning cybersecurity standards, guidelines, and practices within the United States 
and globally. Transitioning to such a partner - along with NIST's continued support - 
would help to ensure that cybersecurity-related standards and approaches taken by 
the Framework avoid creating additional burdens on multinational organizations 
wanting to implement them. 


4. Areas for Development, Alignment, and Collaboration 


Executive Order 13636 states that the cybersecurity Framework will "identify areas 
for improvement that should be addressed through future collaboration with 
particular sectors and standards-developing organizations." Several high-priority 
areas for development, alignment, and collaboration are listed below based on 
stakeholder input and are described in the subsections below. 


This list of high-priority areas is not intended to be exhaustive. These are important 
areas identified by stakeholders that should inform future versions ofthe 
Framework. They require continued focus; they are important but evolving areas 
that have yet to be developed or need further research and understanding. While 
tools, methodologies, and standards exist for some of the areas, they need to become 
more mature, available, and widely adopted. To be effective in addressing these 
areas, NIST will work with stakeholders to identify primary challenges, solicit input 
to address those identified needs, and collaboratively develop and execute action 
plans for addressing them. 


Many of these areas also reflect needed capabilities in the Framework Core. As 
progress is made in each of these areas, they can be immediately used in 
conjunction with the Framework to enhance or improve existing cybersecurity 
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programs. Progress in these areas also becomes candidate improvements to the 
Framework. 


4.1. Authentication 


Poor authentication mechanisms are a commonly exploited vector of attack by 
adversaries; the 2013 Data Breach Investigations Report (conducted by Verizon in 
concert with the U.S. Department of Homeland Security) noted that 76% of 2012 
network intrusions exploited weak or stolen credentials. Multi-Factor 
Authentication (MFA) can assist in closing these attack vectors by requiring 
individuals to augment passwords (“something you know”) with “something you 
have," such as a token, or "something you are,” such as a biometric. 


While new authentication solutions continue to emerge, there is only a partial 
framework of standards to promote security and interoperability. The usability of 
authentication approaches remains a significant challenge for many control systems, 
as many existing authentication tools are for standard computing platforms. 
Moreover, many solutions are geared only toward identificatiori of individuals; 
there are fewer standards-based approaches for automated device authentication. 


The inadequacy of passwords for authentication was a key driver behind the 2011 
issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), 
which calls upon the private sector to collaborate on development of an Identity 
Ecosystem that raises the level of trust associated with the identities of individuals, 
organizations, networks, services, and devices online. NSTIC is focused on consumer 
use cases, but the standards and policies that emerge from the privately-led Identity 
Ecosystem Steering Group (IDESG) established to support the NSTIC - as well as 
new authentication solutions that emerge from NSTIC pilots - can inform advances 
in authentication for critical infrastructure as well. 


NIST will focus on three areas: 


e Continue to support the development of better identity and authentication 
solutions through NSTIC pilots, as well as an active partnership with the 
IDESG; 

e Support and participate in identity and authentication standards activities, 

seeking to advance a more complete set of standards to promote security and 
interoperability; this will include standards development work to address 
gaps that may emerge from new approaches in the NSTIC pilots. 

e Conduct identity and authentication research complemented by the 
production of NIST Special Publications that support improved 
authentication practices. 


4.2. Automated Indicator Sharing 


The automated sharing of indicator information can provide organizations with 
timely, actionable information that they can use to detect and respond to 
cybersecurity events as they are occurring. Sharing indicators based on information 
that is discovered prior to and during incident response activities enables other 
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organizations to deploy measures to detect, mitigate, and possibly prevent attacks 
as they occur. Organizations tend to share a subset of indicator data to avoid 
exposing the organization to further risks. This information is shared through 
various channels including: information sharing communities (e.g., sector-specific 
ISACS, consortiums), peer-to-peer sharing with selected partners, and exchanges 
with security service providers. Receiving such indicators allows security 
automation technologies a better chance to detect past attacks, mitigate and 
remediate known vulnerabilities, identify compromised systems, and support the 
detection and mitigation of future attacks. 


Organizations use a combination of standard and proprietary mechanisms to 
exchange indicators that can be used to bolster defenses and to support early 
detection of future attack attempts. These mechanisms have differing strengths and 
weaknesses and often require organizations to maintain specific process, personnel, 
and technical capabilities. Groups of highly capable organizations commonly form 
communities to share useful indicator data. Established communities tend to grow 
through addition of newer members with lower capability. To make these 
communities more effective, appropriate standards need to be defined and then 
adopted in products to enable organizations of various levels of capability and size 
to make use of indicators and other related shared information. 


NIST will work together with private and public sector organizations to promote a 
global competitive marketplace of interoperable solutions that enable both small 
and large organizations to take advantage of indicator sharing. NIST will work with: 


e Private sector standards owners, consortia and others in industry-led, 
consensus-driven international standards organizations to fill current 
standards gaps based on well-defined use cases and requirements. 

e Private and public sector stakeholders to ensure that adequate 
implementation and common practice guidance is available regarding the 
generation, use, and sharing of indicator data. 


4.3. Conformity Assessment 


Conformity assessment can be used to show that a product, service, or system meets 
specified requirements for managing cybersecurity risk. The output of conformity 
assessment activities could be used to enhance an organization's understanding of 
its implementation of a Framework profile. Successful conformity assessment 
provides the needed level of confidence, is efficient, and has a sustainable and 
scalable business case. Critical infrastructure's evolving implementation of 
Framework profiles should drive the identification of private sector conformity 
assessment activities that address the confidence and information needs of 
stakeholders. 


NIST will help ensure that private and public sector conformity assessment needs 
are met by leveraging existing conformity assessment programs and other activities 
that produce evidence of conformity. This reduces the resource burden on the 
private sector. NIST will work with: 
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* Private sector standards owners, consortia and others who manage 
conformity assessment programs to help all stakeholders understand how 
these programs can be further leveraged by those who have the need for 
conformity demonstration; and 


e Private and public sector entities that have a need for conformity 
demonstration, to help understand how these organizations can leverage 
existing programs. 


4.4. Cybersecurity Workforce 


A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs 
of critical infrastructure. There is a well-documented shortage of general 
cybersecurity experts; however, there is a greater shortage of qualified 
cybersecurity experts who also have an understanding ofthe unique challenges 
posed to particular parts of critical infrastructure. As the cybersecurity threat and 
technology environment evolves, the cybersecurity workforce must continue to 
adapt to design, develop, implement, maintain and continuously improve the 
necessary cybersecurity practices within critical infrastructure environments. 


Various efforts, including the National Initiative for Cybersecurity Education (NICE), 
are currently fostering the training of a cybersecurity workforce for the future, 
establishing an operational, sustainable and continually improving cybersecurity 
education program to provide a pipeline of skilled workers for the private sector 
and government. Organizations must understand their current and future 
Cybersecurity workforce needs, and develop hiring, acquisition, and training 
resources to raise the level of technical competence of those who build, operate, and 
defend systems delivering critical infrastructure services. 


NIST will continue to promote existing and future cybersecurity workforce 
development activities (including NICE), including coordinating with other 
government agencies, such as DHS. NIST and its partners will also continue to 
increase engagement with academia to expand and fill the cybersecurity workforce 
pipeline. 


Future NIST activities may include: 


e Extending and integrating NICE activities across critical infrastructure (CI) 
sectors to raise cybersecurity awareness; 

e Identifying and supporting foundational research opportunities in areas 
including cybersecurity awareness, training, and education, and security 
usability; . ; 

e Understanding CI cybersecurity workforce needs; and 

ə Issuing guidelines, tools, and other resources to develop, customize and 

deliver cybersecurity awareness, training, and education materials. 


4.5. Data Analytics 


Big data and the associated analytic tools coupled with the emergence of cloud, 
mobile, and social computing offer opportunities to process and analyze structured 
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and unstructured cybersecurity-relevant data. Issues such as situational awareness 
of complex networks and large-scale infrastructures can be addressed. The analysis 
of complex behaviors in these large scale-systems can also address issues of 
provenance, attribution, and discernment of attack patterns. 


Several significant challenges must be overcome for the extraordinary potential of 
analytics to be realized, including the lack of: taxonomies of big data; mathematical 
and measurement foundations; analytic tools; measurement of integrity of tools; 
and correlation and causation. More importantly, the privacy implications in the use 
of these analytic tools must be addressed for legal and public confidence reasons. 


Future NIST activities may include: 


e Benchmarking and measurement of some of the fundamental scientific 
elements of big data (algorithms, machine learning, topology, graph theory, 
etc.) through means such as research, community evaluations, datasets, and 
challenge problems; 

e Support and participation in big data standards activities such as 
international standards bodies and production of community reference 
architectures and roadmaps; and 

e Production of NIST Special Publications on the secure application of big data 
analytic techniques in such areas as access control, continuous monitoring, 
attack warning and indicators, and security automation. 


4.6. Federal Agency Cybersecurity Alignment 


The Federal Information Security Management Act (FISMA) requires federal 
agencies to implement agency-wide programs to provide information security for 
the information and information systems that support the operations and assets of 
the agency, including those provided or managed by another agency, contractor, or 
other source. FISMA directed NIST to develop a suite of standards and guidelines 
which, when integrated, provide a Risk Management Framework to help agencies 
effectively identify, assess, and mitigate risk to agency operations, assets, and 
individuals. . 


While developed for federal agency use, these standards and guidelines are 
frequently voluntarily used by non-federal organizations because of the flexible, 
risk-based, and cost-effective approach they offer. Specific federal standards and 
guidelines - often cited by non-Federal participants during development of the 
Cybersecurity Framework as resources they found useful in managing cybersecurity 
risk - were included as informative references in the Framework Core. 


The Cybersecurity Framework and the NIST Risk Management Framework both 
seek to achieve the same objective - improved management of cybersecurity risk. It 
is important that any effort to apply the Cybersecurity Framework across the 
Federal government complement and enhance rather than duplicate or conflict with 
existing statute, executive direction, policy, and standards. It should also seek to 
minimize the burden placed upon implementing departments and agencies by 
building from existing evaluation and reporting regimes, and encourage common 
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and comparable evaluation of cybersecurity posture across federal departments and 
agencies, given diverse requirements and risk environments. 


NIST, working with our interagency partners, will: 


e Identify areas of alignment between existing Federal Information Processing 
Standards (FIPS), guidelines, frameworks, and other programs (e.g., 
Continuous Diagnostics and Mitigation) and the Cybersecurity Framework; 

e Identify and prioritize gaps where additional guidance may improve an 
agency's ability to manage cybersecurity risk, and demonstrate greater 
alignment with the Cybersecurity Framework; and 

* Leverage the Cybersecurity Framework to elevate the use and amplify the 
effectiveness of new and emerging Federal standards, guidelines, and 
programs. 


4.7. International Aspects, Impacts, and Alignment 


Globalization and advances in technology have driven unprecedented increases in 
innovation, competitiveness, and economic growth. Critical infrastructure has 
become dependent on these enabling technologies for increased efficiency and new 
capabilities. Many governments are proposing and enacting strategies, policies, 
laws, and regulations covering information technology for critical infrastructure as a 
result. Because many organizations and most sectors operate globally or rely on the 
interconnectedness of the global digital infrastructure, these requirements are 
affecting, or may affect, how organizations operate, conduct business, and develop 
new products and services. Diverse or specialized requirements can impede 
interoperability, result in duplication, harm cybersecurity, and hinder innovation. In 
turn, this can significantly reduce the availability and use of innovative technologies 
to critical infrastructures in all industries and hamper the ability of organizations to 
operate globally and to effectively manage new and evolving risks. 


Because the Framework references globally accepted standards, guidelines and 
practice, organizations domiciled inside and outside of the United States can use the 


: Framework to efficiently operate globally and manage new and evolving risks. 


Conversely, broad use of the Framework will serve asa model approach to 
strengthening the critical infrastructure, while discouraging a balkanization caused 
from unique requirements that hamper interoperability and innovation, and limit 
the efficient and effective use of resources. 


NIST will continue to communicate the intent and approach ofthe RUN 
Framework to the international community by: 


e Engaging foreign governments and. entities directly to explain the 
Framework and seek alignment of approaches when possible; 
e Coordinating with federal agency partners to ensure full awareness with 
their stakeholder community; 
e Working with industry stakeholders to support their international 
^" engagement; and 
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e Exchanging information and working with standards developing 
organizations, industry, and sectors to ensure the Cybersecurity 
Framework remains aligned and compatible with existing and developing 

`- standards and practices. 


4.8. Supply Chain Risk Management 


Supply chains consist of organizations that design, produce, source, and deliver 
products and services. All organizations are part of, and dependent upon, product 
and service supply chains. Supply chain risk is an essential part ofthe risk landscape 
that should be included in organizational risk management programs. Although 
many organizations have robust internal risk management processes, supply chain 
criticality and dependency analysis, collaboration, information sharing, and trust 
mechanisms remain a challenge. Organizations can struggle to identify their risks 
and prioritize their actions—leaving the weakest links susceptible to penetration 
and disruption. Supply chain risk management, especially product and service 
integrity, is an emerging discipline characterized by diverse perspectives, disparate 
bodies of knowledge, and fragmented standards and best practices. 


' Increasing adoption of supply chain risk management standards, practices and 
guidelines requires greater awareness and understanding of the risks associated 
with the time-sensitive interdependencies throughout the supply chain, including in 
and between critical infrastructure sectors/subsectors. This understanding is vital 
to enable organizations to assess their risk, prioritize, and allow for timely 
mitigation. 


NIST's activities will focus on engaging stakeholders to: 


e Encourage broad industry engagement and leadership in supply chain 
risk management discussions and activities; 

e Promote the mapping of existing supply chain risk management 
standards, practices and guidelines to the Framework Core; 

e Identify challenges in Framework adoption and determine appropriate 
support to enable effective supply chain risk management; and 

e Determine the key challenges to supply chain risk management (e.g. 
identifying and understanding mission critical functions, their 
dependencies, and conducting and validating prioritization) to enable 
more effective Framework implementation. 


4.9. Technical Privacy Standards 


A key challenge for privacy has been the difficulty in reaching consensus on 
definition and scope management, given its nature of being context-dependent and 
relatively subjective. The Fair Information Practice Principles (FIPPs), - developed 
in the early stages of computerization and data aggregation to address the handling 
of individuals’ personal information - have become foundational in the current 
conception of privacy. They have been used as a basis for a number of laws and 
regulations, as wel] as various sets of privacy principles and frameworks around the 
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world. The FIPPs, however, are a process-oriented set of principles for handling 
personal information. They do not purport to define privacy in a way that has 
enabled the development of a risk management model nor do they provide specific 
technical standards or best practices that can guide organizations in implementing 
consistent processes to avoid violating the privacy of individuals. 


The lack of risk management model, standards, and supporting privacy metrics, 
makes it difficult to assess the effectiveness of an organization's privacy protection 
methods. Furthermore, organizational policies are often designed to address 
business risks that arise out of privacy violations, such as reputation or liability 
risks, rather than focusing on minimizing the risk of harm at an individual or 
societal level. Although research is being conducted in the public and private sectors 
to improve current privacy practices, many gaps remain. In particular, there are few 
identifiable technical standards or best practices to mitigate the impact of 
Cybersecurity activities on individuals' privacy or civil liberties. 


To address these gaps and challenges, NIST will first host a privacy workshop in the 
second quarter of 2014. The workshop will focus on the advancement of privacy 
engineering as a foundation for the identification of technical standards and best 
practices that could be developed to mitigate the impact of cybersecurity activities 
on individuals' privacy or civil liberties. Modeled after security engineering, privacy 
engineering may call for the development of a privacy risk management model, 
privacy requirements and system design and development. Future NIST activities 
will build upon the outcomes of the workshop, and NIST will work with private and 
public sector entities to support improvements in the protection of individuals' 
privacy and civil liberties while securing critical infrastructure. 
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Executive Summary 


The national and economic security of the United States depends on the reliable functioning of 
critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of 
critical infrastructure systems, placing the Nation's security, economy, and public safety and 
health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company's 
bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to 
innovate and to gain and maintain customers. 


To better address these risks, the President issued Executive Order 13636, “Improving Critical 
Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of 
the United States to enhance the security and resilience of the Nation's critical infrastructure and 
to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity 
while promoting safety, security, business confidentiality, privacy, and civil liberties." In 
enacting this policy, the Executive Order calls for the development of a voluntary risk-based 
Cybersecurity Framework — a set of industry standards and best practices to help organizations 
manage cybersecurity risks. The resulting Framework, created through collaboration between 
government and the private sector, uses a common language to address and manage 
cybersecurity risk in a cost-effective way based on business needs without placing additional 
regulatory requirements on businesses. 


The Framework focuses on using business drivers to guide cybersecurity activities and 
considering cybersecurity risks as part of the organization's risk management processes. The 
Framework consists of three parts: the Framework Core, the Framework Profile, and the 
Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, 
outcomes, and informative references that are common across critical infrastructure sectors, 
providing the detailed guidance for developing individual organizational Profiles. Through use of 
the Profiles, the Framework will help the organization align its cybersecurity activities with its 
business requirements, risk tolerances, and resources. Tbe Tiers provide a mechanism for 
organizations to view and understand the characteristics of their approach to managing 

. cybersecurity risk. 


The Executive Order also requires that the Framework include a methodology to protect 
individual privacy and civil liberties when critical infrastructure organizations conduct 
cybersecurity activities. While processes and existing needs will differ, the Framework can assist 
organizations in incorporating privacy and civil liberties as part of a comprehensive 
cybersecurity program. 


The Framework enables organizations — regardless of size, degree of cybersecurity risk, or 
cybersecurity sophistication — to apply the principles and best practices of risk management to 
improving the security and resilience of critical infrastructure. The Framework provides 
organization and structure to today’s multiple approaches to cybersecurity by assembling 
standards, guidelines, and practices that are working effectively in industry today. Moreover, 
because it references globally recognized standards for cybersecurity, the Framework can also be 
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used by organizations located outside the United States and can serve as a model for 
international cooperation on strengthening critical infrastructure cybersecurity. 


- The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical 
infrastructure. Organizations will continue to have unique risks — different threats, different 
vulnerabilities, different risk tolerances — and how they implement the practices in the 
Framework will vary. Organizations can determine activities that are important to critical service 
delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, 
the Framework is aimed at reducing and better managing cybersecurity risks. 


The Framework is a living document and will continue to be updated and improved as industry 
provides feedback on implementation. As the Framework is put into practice, lessons learned 
will be integrated into future versions. This will ensure it is meeting the needs of critical 
infrastructure owners and operators in a dynamic and challenging environment of new threats, 
risks, and solutions. 


Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation's 
critical infrastructure - providing guidance for individual organizations, while increasing the 
cybersecurity posture of the Nation's critical infrastructure as a whole. 


MAT A BMI-1-11e_12.pdf, Blatt 244 


240 


February 12, 2014 Cybersecurity Framework Version 1.0 


1.0 Framework Introduction 


The national and economic security ofthe United States depends on the reliable functioning of 

critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued 
Executive Order 13636 (EO), "Improving Critical Infrastructure Cybersecurity,” on February 12, 
2013.! This Executive Order calls for the development of a voluntary Cybersecurity Framework 
("Framework") that provides a "prioritized, flexible, repeatable, performance-based, and cost- 
effective approach” to manage cybersecurity risk for those processes, information, and systems 
directly involved in the delivery of critical infrastructure services. The Framework, developed in 
collaboration with industry, provides guidance to an organization on managing Cybersecurity 
risk. 


Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of such systems and assets would have 
a debilitating impact on security, national economic security, national public health or safety, or 
any combination of those matters." Due to the increasing pressures from external and internal 
threats, organizations responsible for critical infrastructure need to have a consistent and iterative 
approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary 
regardless of an organization's size, threat exposure, or cybersecurity sophistication today. 


The critical infrastructure community includes public and private owners and operators, and 
other entities with a role in securing the Nation's infrastructure. Members of each critical 
infrastructure sector perform functions that are supported by information technology (IT) and 
industrial control systems (ICS).? This reliance on technology, communication, and the 
interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and 
increased potential risk to operations. For example, as ICS and the data produced in ICS 
operations are increasingly used to deliver critical services and support business decisions, the 
potential impacts of a cybersecurity incident on an organization's business, assets, health and 
safety of individuals, and the environment should be considered. To manage cybersecurity risks, 
a clear understanding of the organization's business drivers and security considerations specific 
to its use of IT and ICS is required. Because each organization's risk is unique, along with its use 
of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework 
will vary. 


Recognizing the role that the protection of privacy and civil liberties plays in creating greater 
public trust, the Executive Order requires that the Framework include a methodology to protect 
individual privacy and civil liberties when critical infrastructure organizations conduct 
cybersecurity activities. Many organizations already have processes for addressing privacy and 
civil liberties. The methodology is designed to complement such processes and provide guidance 
to facilitate privacy risk management consistent with an organization's approach to cybersecurity 
risk management. Integrating privacy and cybersecurity can benefit organizations by increasing 
customer confidence, enabling more standardized sharing of information, and simplifying 
operations across legal regimes. 





! Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12, 


; 2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 


The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions 


and value chains. http://www.dhs.gov/critical-infrastructure-sectors 
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To ensure extensibility and enable technical innovation, the Framework is technology neutral. 
The Framework relies on a variety of existing standards, guidelines, and practices to enable 
critical infrastructure providers to achieve resilience. By relying on those global standards, 
guidelines, and practices developed, managed, and updated by industry, the tools and methods 
available to achieve the Framework outcomes will scale across borders, acknowledge the global 
nature of cybersecurity risks, and evolve with technological advances and business requirements. 
The use of existing and emerging standards will enable economies of scale and drive the 
development of effective products, services, and practices that meet identified market needs. 
Market competition also promotes faster diffusion of these technologies and practices and 
realization of many benefits by the stakeholders in these sectors. 


Building from those standards, guidelines, and practices, the Framework provides a common 
taxonomy and mechanism for organizations to: 


1) Describe their current cybersecurity posture; 
2) Describe their target state for cybersecurity; 


3) Identify and prioritize opportunities for improvement within the context of a . 
continuous and repeatable process; 


4) Assess progress toward the target state; 
5) Communicate among internal and external stakeholders about cybersecurity risk. 


The Framework complements, and does not replace, an organization's risk management process 
and cybersecurity program. The organization can use its current processes and leverage the 
Framework to identify opportunities to strengthen and communicate its management of 
cybersecurity risk while aligning with industry practices. Alternatively, an organization without 
an existing cybersecurity program can use the Framework as a reference to establish one. 


Just as the Framework is not industry-specific, the common taxonomy of standards, guidelines, 
and practices that it provides also is not country-specific. Organizations outside the United States 
may also use the Framework to strengthen their own cybersecurity efforts, and the Framework 
can contribute to developing a common language for international cooperation on critical 
infrastructure cybersecurity. 


1.1 Overview of the Framework 


The Framework is a risk-based approach to managing cybersecurity risk, and is composed of 
three parts: the Framework Core, the Framework Implementation Tiers, and the Framework 
Profiles. Each Framework component reinforces the connection between business drivers and 
cybersecurity activities. These components are explained below. 


e The Framework Core is a set of cybersecurity activities, desired outcomes, and 
applicable references that are common across critical infrastructure sectors. The Core 
presents industry standards, guidelines, and practices in a manner that allows for 
communication of cybersecurity activities and outcomes across the organization from the 
executive level to the implementation/operations level. The Framework Core consists of 
five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. 
When considered together, these Functions provide a high-level, strategic view of the 
lifecycle of an n organization’ s management of cybersecurity risk. The Framework Core 
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then identifies underlying key Categories and Subcategories for each Function, and 
matches them with example Informative References such as existing standards, 
guidelines, and practices for each Subcategory. 


e Framework Implementation Tiers (“Tiers”) provide context on how an organization 
views cybersecurity risk and the processes in place to manage that risk. Tiers describe the 
degree to which an organization's cybersecurity risk management practices exhibit the 
characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and 
adaptive). The Tiers characterize an organization's practices over a range, from Partial 
(Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive 
responses to approaches that are agile and risk-informed. During the Tier selection 
process, an organization should consider its current risk management practices, threat 
environment, legal and regulatory requirements, business/mission objectives, and 
organizational constraints. 


e A Framework Profile (“Profile”) represents the outcomes based on business needs that an 
organization has selected from the Framework Categories and Subcategories. The Profile 
can be characterized as the alignment of standards, guidelines, and practices to the 
Framework Core in a particular implementation scenario. Profiles can be used to identify 
opportunities for improving cybersecurity posture by comparing a “Current” Profile (the 
"as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an 
organization can review all of the Categories and Subcategories and, based on business 
drivers and a risk assessment, determine which are most important; they can add 
Categories and Subcategories as needed to address the organization's risks. The Current 
Profile can then be used to support prioritization and measurement of progress toward the 

. Target Profile, while factoring in other business needs including cost-effectiveness and 
innovation. Profiles can be used to conduct self-assessments and communicate within an 
organization or between organizations. 


1.2 Risk Management and the Cybersecurity Framework 


Risk management is the ongoing process of identifying, assessing, and responding to risk. To 
manage risk, organizations should understand the likelihood that an event will occur and the 
resulting impact. With this information, organizations can determine the acceptable level of risk 
for delivery of services and can express this as their risk tolerance. 


With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, 
enabling organizations to make informed decisions about cybersecurity expenditures. 
Implementation of risk management programs offers organizations the ability to quantify and 
communicate adjustments to their cybersecurity programs. Organizations may choose to handle 
risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or 
accepting the risk, depending on the potential impact to the delivery of critical services. 


The Framework uses risk management processes to enable organizations to inform and prioritize 
decisions regarding cybersecurity. It supports recurring risk assessments and validation of 
business drivers to help organizations select target states for cybersecurity activities that reflect 
desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and 
direct improvement in cybersecurity risk management for the IT and ICS environments. 
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The Framework is adaptive to provide a flexible and risk-based implementation that can be used 
with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk 
management processes include International Organization for Standardization (ISO) 
31000:2009°, ISO/IEC 27005:2011*, National Institute of Standards and Technology (NIST) 
Special Publication (SP) 800-39°, and the Electricity Subsector Cybersecurity Risk Management 


Process (RMP) guideline. 


1.3 Document Overview 


The remainder of this document contains the following sections and appendices: 
e Section 2 describes the Framework components: the Framework Core, the Tiers, and the 
. Profiles. 
e Section 3 presents examples of how the Framework can be used. 
e Appendix A presents the Framework Core in a tabular format: the Functions, Categories, 
Subcategories, and Informative References. 
e Appendix B contains a glossary of selected terms. 
e Appendix C lists acronyms used in this document. 





* International Organization for Standardization, Risk management — Principles and guidelines, ISO 31000:2009, . 


2009. http://www. iso. org/iso/home/standards/iso31000.htm ` 

International Organization for Standardization/International Electrotechnical Commission, Information 
technology — Security techniques — Information security risk management, ISO/IEC 27005:2011, 2011. 
http://www.iso.org/iso/catalogue_detail?csnumber=56742 

Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and 
Information System View, NIST Special Publication 800-39, March 2011. 


: http://csre.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf 


U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May 


2012. http://energy.gov/sites/prod/fil es/Cybersecurity%20Risk%20Management%20Process%20Guideline%20- 
%20Final%20-%20May%202012.pdf 
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2.0 Framework Basics 


The Framework provides a common language for understanding, managing, and expressing 
cybersecurity risk both internally and externally. It can be used to help identify and prioritize 
actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and 
technological approaches to managing that risk. It can be used to manage cybersecurity risk 
across entire organizations or it can be focused on the delivery of critical services within an 
organization. Different types of entities — including sector coordinating structures, associations, 
and organizations — can use the Framework for different purposes, including the creation of 
common Profiles. 


2.1 Framework Core 


The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and 

e references examples of guidance to achieve those outcomes. The Core is not a checklist of 
actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in 
managing cybersecurity risk. The Core comprises four elements: Functions, Categories, 
Subcategories, and Informative References, depicted in Figure 1: 





Functions Categories | Subcategories informative References 





EEE 


® Figure 1: Framework Core Structure 


The Framework Core elements work together as follows: 


e Functions organize basic cybersecurity activities at their highest level. These Functions 
are Identify, Protect, Detect, Respond, and Recover. They aid an organization in 
expressing its management of cybersecurity risk by organizing information, enabling risk 
management decisions, addressing threats, and improving by learning from previous 
activities. The Functions also align with existing methodologies for incident management 
and help show the impact of investments in cybersecurity. For example, investments in 
planning and exercises support timely response and recovery actions, resulting in reduced 
impact to the delivery of services. 


e Categories are the subdivisions of a Function into groups of cybersecurity outcomes 
closely tied to programmatic needs and particular activities. Examples of Categories 
include “Asset Management,” “Access Control,” and “Detection Processes.” 
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e Subcategories further divide a Category into specific outcomes of technical and/or 
management activities. They provide a set of results that, while not exhaustive, help 
support achievement of the outcomes in each Category. Examples of Subcategories 
include “External information systems are catalogued,” “Data-at-rest is protected,” and 
"Notifications from detection systems are investigated." 


e Informative References are specific sections of standards, guidelines, and practices 
common among critical infrastructure sectors that illustrate a method to achieve the 
outcomes associated with each Subcategory. The Informative References presented in the 
Framework Core are illustrative and not exhaustive. They are based upon cross-sector 
guidance most frequently referenced during the Framework development process.’ 


The five Framework Core Functions are defined below: These Functions are not intended to 
form a serial path, or lead to a static desired end state. Rather, the Functions can be performed 
concurrently and continuously to form an operational culture that addresses the dynamic 
cybersecurity risk. See Appendix A for the complete Framework Core listing. 


e Identify — Develop the organizational understanding to manage cybersecurity risk to 
systems, assets, data, and capabilities. 


The activities in the Identify Function are foundational for effective use of the 
Framework. Understanding the business context, the resources that support critical 
functions, and the related cybersecurity risks enables an organization to focus and 
prioritize its efforts, consistent with its risk management strategy and business needs. 
Examples of outcome Categories within this Function include: Asset Management; 
Business Environment; Governance; Risk Assessment; and Risk Management Strategy. 


e Protect — Develop and implement the appropriate safeguards to ensure delivery of 
critical infrastructure services. 


The Protect Function supports the ability to limit or contain the impact of a potential 
cybersecurity event. Examples of outcome Categories within this Function include: 
Access Control; Awareness and Training; Data Security; Information Protection 
Processes and Procedures; Maintenance; and Protective Technology. 


* Detect - Develop and implement the appropriate activities to identify the occurrence of a 
cybersecurity event. 


The Detect Function enables timely discovery of cybersecurity events. Examples of 
outcome Categories within this Function include: Anomalies and Events; Security 
Continuous Monitoring; and Detection Processes. 


e Respond — Develop and implement the appropriate activities to take action regarding a 
detected cybersecurity event. 





7 NIST developed a Compendium of informative references gathered from the Request for Information (RFI) 


input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development 
process. The Compendium includes standards, guidelines, and practices to assist with implementation. The 
Compendium is not intended to be an exhaustive list, but rather a starting point based on initial stakeholder 
input. The Compendium and other supporting material can be found at http://www.nist.gov/cyberframework/. 


MAT A BMI-1-11e_12.pdf, Blatt 250 


February 12, 2014 Cybersecurity Framework Version 1.0 


The Respond Function supports the ability to contain the impact of a potential 
cybersecurity event. Examples of outcome Categories within this Function include: 
Response Planning; Communications; Analysis; Mitigation; and Improvements. 


e Recover — Develop and implement the appropriate activities to maintain plans for 
resilience and to restore any capabilities or services that were impaired due to a 
cybersecurity event. 


The Recover Function supports timely recovery to normal operations to reduce the 
impact from a cybersecurity event. Examples of outcome Categories within this Function 
include: Recovery Planning; Improvements; and Communications. 


2.2 Framework Implementation Tiers 


The Framework Implementation Tiers (“Tiers”) provide context on how an organization views 
cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial 
(Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in 
cybersecurity risk management practices and the extent to which cybersecurity risk management 
is informed by business needs and is integrated into an organization's overall risk management 
practices. Risk management considerations include many aspects of cybersecurity, including the 
degree to which privacy and civil liberties considerations are integrated into an organization's 
management of cybersecurity risk and potential risk responses. 


The Tier selection process considers an organization's current risk management practices, threat 
environment, legal and regulatory requirements, business/mission objectives, and organizational 
constraints. Organizations should determine the desired Tier, ensuring that the selected level 
meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical 
assets and resources to levels acceptable to the organization. Organizations should consider 
leveraging external guidance obtained from Federal government departments and agencies, 
Information Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to 
assist in determining their desired tier. 


While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 
2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged 
when such a change would reduce cybersecurity risk and be cost effective. Successful 
implementation of the Framework is based upon achievement of the outcomes described in the 
organization's Target Profile(s) and not upon Tier determination. 
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The Tier definitions are as follows: 


Tier 1: 


Tier 2: 


Tier 3: 


Partial 


Risk Management Process — Organizational cybersecurity risk management practices are 
not formalized, and risk is managed in an ad hoc and sometimes reactive manner. 
Prioritization of cybersecurity activities may not be directly informed by organizational 
risk objectives, the threat environment, or business/mission requirements. 


Integrated Risk Management Program — There is limited awareness of cybersecurity risk 
at the organizational level and an organization-wide approach to managing cybersecurity 
risk has not been established. The organization implements cybersecurity risk 
management on an irregular, case-by-case basis due to varied experience or information 
gained from outside sources. The organization may not have processes that enable 
cybersecurity information to be shared within the organization. 


External Participation — An organization may not have the processes in place to 
participate in coordination or collaboration with other entities. 


Risk Informed 


Risk Management Process — Risk management practices are approved by management 
but may not be established as organizational-wide policy. Prioritization of cybersecurity 
activities is directly informed by organizational risk objectives, the threat environment, or 
business/mission requirements. 


Integrated Risk Management Program — There is an awareness of cybersecurity risk at 
the organizational level but an organization-wide approach to managing cybersecurity 
risk has not been established. Risk-informed, management-approved processes and 
procedures are defined and implemented, and staff has adequate resources to perform 
their cybersecurity duties. Cybersecurity information is shared within the organization on 
an informal basis. 


External Participation — The organization knows its role in the larger ecosystem, but has 
not formalized its capabilities to interact and share information externally. 


Repeatable 


Risk Management Process — The organization's risk management practices are formally 
approved and expressed as policy. Organizational cybersecurity practices are regularly 
updated based on the application of risk management processes to changes in 
business/mission requirements and a changing threat and technology landscape. 


Integrated Risk Management Program — There is an organization-wide approach to 
manage cybersecurity risk. Risk-informed policies, processes, and procedures are 
defined, implemented as intended, and reviewed. Consistent methods are in place to 
respond effectively to changes in risk. Personnel possess the knowledge and skills to 
perform their appointed roles and responsibilities. 


External Participation — The organization understands its dependencies and partners and 
receives information from these partners that enables collaboration and risk-based 
management decisions within the organization in response to events. 
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Tier 4: Adaptive 


e Risk Management Process — The organization adapts its cybersecurity practices based on 


lessons learned and predictive indicators derived from previous and current cybersecurity 
activities. Through a process of continuous improvement incorporating advanced 
cybersecurity technologies and practices, the organization actively adapts to a changing 
cybersecurity landscape and responds to evolving and sophisticated threats in a timely 
manner. 


e Integrated Risk Management Program — There is an organization-wide approach to 


2.3 


managing cybersecurity risk that uses risk-informed policies, processes, and procedures 
to address potential cybersecurity events. Cybersecurity risk management is part of the 
organizational culture and evolves from an awareness of previous activities, information 
shared by other sources, and continuous awareness of activities on their systems and 
networks. 


External Participation — The organization manages risk and actively shares information 
with partners to ensure that accurate, current information is being distributed and 
consumed to improve cybersecurity before a cybersecurity event occurs. 


Framework Profile 


The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and 
Subcategories with the business requirements, risk tolerance, and resources of the organization. 
A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well 
aligned with organizational and sector goals, considers legal/regulatory requirements and 
industry best practices, and reflects risk management priorities. Given the complexity of many 
organizations, they may choose to have multiple profiles, aligned with particular components and 
recognizing their individual needs. 


Framework Profiles can be used to describe the current state or the desired target state of specific 
Cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are 
currently being achieved. The Target Profile indicates the outcomes needed to achieve the 
desired cybersecurity risk management goals. Profiles support business/mission requirements 
and aid in the communication of risk within and between organizations. This Framework 
document does not prescribe Profile templates, allowing for flexibility in implementation. 


Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be 
addressed to meet cybersecurity risk management objectives. An action plan to address these 
gaps can contribute to thé roadmap described above. Prioritization of gap mitigation is driven by 
the organization's business needs and risk management processes. This risk-based approach 
enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve 
cybersecurity goals in a cost-effective, prioritized manner. 
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2.4 Coordination of Framework Implementation 


Figure 2 describes a common flow of information and decisions at the following levels within an 
organization: 


e Executive 
e  Business/Process 
e Implementation/Operations 


The executive level communicates the mission priorities, available resources, and overall risk 
tolerance to the business/process level. The business/process level uses the information as inputs 
into the risk management process, and then collaborates with the implementation/operations 
level to communicate business needs and create a Profile. The implementation/operations level 
communicates the Profile implementation progress to the business/process level. The 
business/process level uses this information to perform an impact assessment. Business/process 
level management reports the outcomes of that impact assessment to the executive level to 

e inform the organization's overall risk management process and to the implementation/operations 
level for awareness of business impact. 


Risk Management 


Changes in * Ae 
Current and hos. and Risk Appelite 
and Budget 





implementation. 


Figure 2: Notional Information and Decision Flows within an Organization 
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3.0 How to Use the Framework 


An organization can use the Framework as a key part of its systematic process for identifying, 
assessing, and managing cybersecurity risk. The Framework is not designed to replace existing 

" processes; an organization can use its current process and overlay it onto the Framework to 
determine gaps in its current cybersecurity risk approach and develop a roadmap to | 
improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization 
can determine activities that are most important to critical service delivery and prioritize 
expenditures to maximize the impact of the investment. 


The Framework is designed to complement existing business and cybersecurity operations. It can 
serve as the foundation for a new cybersecurity program or a mechanism for improving an 
existing program. The Framework provides a means of expressing cybersecurity requirements to 
business partners and customers and can help identify gaps in an organization's cybersecurity 
practices. It also provides a general set of considerations and processes for considering privacy 
and civil liberties implications in the context of a cybersecurity program. 


The following sections present different ways in which organizations can use the Framework. 


3.1 Basic Review of Cybersecurity Practices 


The Framework can be used to compare an organization’s current cybersecurity activities with 
those outlined in the Framework Core. Through the creation of a Current Profile, organizations 
can examine the extent to which they are achieving the outcomes described in the Core 
Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect, 
Detect, Respond, and Recover. An organization may find that it is already achieving the desired 
outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an 
organization may determine that it has opportunities to (or needs to) improve. The organization 
can use that information to develop an action plan to strengthen existing cybersecurity practices 
and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve 
certain outcomes. The organization can use this information to reprioritize resources to 
strengthen other cybersecurity practices. 


While they do not replace a risk management process, these five high-level Functions will 
provide a concise way for senior executives and others to distill the fundamental concepts of 
cybersecurity risk so that they can assess how identified risks are managed, and how their 
organization stacks up at a high level against existing cybersecurity standards, guidelines, and - 
practices. The Framework can also help an organization answer fundamental questions, 
including *How are we doing?" Then they can move in a more informed way to strengthen their 
cybersecurity practices where and when deemed necessary. - | 


3.2 Establishing or Improving a Cybersecurity Program 


The following steps illustrate how an organization could use the Framework to create a new 
cybersecurity program or improve an existing program. These steps should be repeated as 
necessary to continuously improve cybersecurity. 
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Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and 
high-level organizational priorities. With this information, the organization makes strategic 
decisions regarding cybersecurity implementations and determines the scope of systems and 
assets that support the selected business line or process. The Framework can be adapted to 
support the different business lines or processes within an organization, which may have 
different business needs and associated risk tolerance. l 


Step 2: Orient. Once the scope of the cybersecurity program has been determined for the 
business line or process, the organization identifies related systems and assets, regulatory 
requirements, and overall risk approach. The organization then identifies threats to, and 
vulnerabilities of, those systems and assets. 


Step 3: Create a Current Profile. The organization develops a Current Profile by indicating 
which Category and Subcategory outcomes from the Framework Core are currently being 
achieved. 


Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization's 
overall risk management process or previous risk assessment activities. The organization 
analyzes the operational environment in order to discern the likelihood of a cybersecurity event 
and the impact that the event could have on the organization. It is important that organizations 
seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust 
understanding of the likelihood and impact of cybersecurity events. 


Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the 
assessment of the Framework Categories and Subcategories describing the organization's desired 
cybersecurity outcomes. Organizations also may develop their own additional Categories and 
Subcategories to account for unique organizational risks. The organization may also consider 
influences and requirements of external stakcholders such as sector entities, customers, and 
business partners when creating a Target Profile. 


Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current 
Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to 
address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of 
risk to achieve the outcomes in the Target Profile. The organization then determines resources 

_ necessary to address the gaps. Using Profiles in this manner enables the organization to make 
informed decisions about cybersecurity activities, supports risk management, and enables the 
organization to perform cost-effective, targeted improvements. 


Step 7: Implement Action Plan. The organization determines which actions to take in regards 
to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity 
practices against the Target Profile. For further guidance, the Framework identifies example 
Informative References regarding the Categories and Subcategories, but organizations should 
determine which standards, guidelines, and practices, including those that are sector specific, 
Work best for their needs. | 


An organization may repeat the steps as needed to continuously assess and improve its 
cybersecurity. For instance, organizations may find that more frequent repetition of the orient 
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step improves the quality of risk assessments. Furthermore, organizations may monitor progress 
through iterative updates to the Current Profile, subsequently comparing the Current Profile to 
the Target Profile. Organizations may also utilize this process to align their cybersecurity 
program with their desired Framework Implementation Tier. 


3.3 Communicating Cybersecurity Requirements with Stakeholders 


The Framework provides a common language to communicate requirements among 
interdependent stakeholders responsible for the delivery of essential critical infrastructure 
services. Examples include: 


e An organization may utilize a Target Profile to express cybersecurity risk management 
requirements to an external service provider (e.g., a cloud provider to which it is 
exporting data). 

e An organization may express its cybersecurity state through a Current Profile to report 
results or to compare with acquisition requirements. 

e Acritical infrastructure owner/operator, having identified an external partner on whom 
that infrastructure depends, may use a Target Profile to convey required Categories and 
Subcategories. ! 

e A critical infrastructure sector may establish a Target Profile that can be used among its 
constituents as an initial baseline Profile to build their tailored Target Profiles. 


3-4 Identifying Opportunities for New or Revised Informative 
References 


The Framework can be used to identify opportunities for new or revised standards, guidelines, or 
practices where additional Informative References would help organizations address emerging 
needs. An organization implementing a given Subcategory, or developing a new Subcategory, 
might discover that there are few Informative References, if any, for a related activity. To 
address that need, the organization might collaborate with technology leaders and/or standards 
bodies to draft, develop, and coordinate standards, guidelines, or practices. 


3.5 Methodology to Protect Privacy and Civil Liberties 


This section describes a methodology as required by the Executive Order to address individual 
privacy and civil liberties implications that may result from cybersecurity operations. This 
methodology is intended to be a general set of considerations and processes since privacy and 
civil liberties implications may differ by sector or over time and organizations may address these 
considerations and processes with a range of technical implementations. Nonetheless, not all 
activities in a cybersecurity program may give rise to these considerations. Consistent with 
Section 3.4, technical privacy standards, guidelines, and additional best practices may need to be 
developed to support improved technical implementations. 


Privacy and civil liberties implications may arise when personal information is used, collected, 
processed, maintained, or disclosed in connection with an organization's cybersecurity activities. 
Some examples of activities that bear privacy or civil liberties considerations may include: 
cybersecurity activities that result in the over-collection or over-retention of personal 
information; disclosure or use of personal information unrelated to cybersecurity activities; 
cybersecurity mitigation activities that result in denial of service or other similar potentially 
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adverse impacts, including activities such as some types of incident detection or monitoring that 
may impact freedom of expression or association. 


The government and agents ofthe government have a direct responsibility to protect civil 
liberties arising from cybersecurity activities. As referenced in the methodology below, 
government or agents of the government that own or operate critical infrastructure should have a 
process in place to support compliance of cybersecurity activities with applicable privacy laws, 
regulations, and Constitutional requirements. 


To address privacy implications, organizations may consider how, in circumstances where such 
measures are appropriate, their cybersecurity program might incorporate privacy principles such 
as: data minimization in the collection, disclosure, and retention of personal information material 

| related to the cybersecurity incident; use limitations outside of cybersecurity activities on any 

information collected specifically for cybersecurity activities; transparency for certain l 
e cybersecurity activities; individual consent and redress for adverse impacts arising from use of 

personal information in cybersecurity activities; data quality, integrity, and security; and 
accountability and auditing. 


As organizations assess the Framework Core in Appendix A, the following processes and 
activities may be considered as a means to address the above-referenced privacy and civil 
liberties implications: 


Governance of cybersecurity risk 


e An organization’s assessment of cybersecurity risk and potential risk responses considers 
the privacy implications of its cybersecurity program 

e Individuals with cybersecurity-related privacy responsibilities report to appropriate 
management and are appropriately trained 

e Process is in place to support compliance of cybersecurity activities with applicable 
privacy laws, regulations, and Constitutional requirements 

e Process is in place to assess implementation of the foregoing organizational measures and 


e controls 


Approaches to identifying and authorizing individuals to access organizational assets and 
systems 


e Steps are taken to identify and address the privacy implications of access control 
measures to the extent that they involve collection, disclosure, or use of personal 
information : l 


Awareness and training measures 


e Applicable information from organizational privacy policies is included in cybersecurity 
workforce training and awareness activities 

e Service providers that provide cybersecurity-related services for the organization are 
informed about the organization’s applicable privacy policies 


16 





MAT A BMI-1-11e_12.pdf, Blatt 258 


254 


February 12, 2014 Cybersecurity Framework Version 1.0 . 


Anomalous activity detection and system and assets monitoring 


e Process is in place to conduct a privacy review of an organization's anomalous activity 
detection and cybersecurity monitoring 


Response activities, including information sharing or other mitigation efforts 


e Process is in place to assess and address whether, when, how, and the extent to which 
personal information is shared outside the organization as part of cybersecurity 
information sharing activities . 

e Process is in place to conduct a privacy review of an organization's cybersecurity 
mitigation efforts 


17 





MAT A BMI-1-11e_12.pdf, Blatt 259 


255 


February 12, 2014 Cybersecurity Framework Version 1.0 


Appendix A: Framework Core 


This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories, 

. and Informative References that describe specific cybersecurity activities that are common 
across all critical infrastructure sectors. The chosen presentation format for the Framework Core 
does not suggest a specific implementation order or imply a degree of importance of the 
Categories, Subcategories, and Informative References. The Framework Core presented in this 
appendix represents a common set of activities for managing cybersecurity risk. While the 
Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities 
to use Subcategories and Informative References that are cost-effective and efficient and that 
enable them to manage their cybersecurity risk. Activities can be selected from the Framework 
Core during the Profile creation process and additional Categories, Subcategories, and 
Informative References may be added to the Profile. An organization's risk management 
processes, legal/regulatory requirements, business/mission objectives, and organizational 
constraints guide the selection of these activities during Profile creation. Personal information is 
considered a component of data or assets referenced in the Categories when assessing security 
risks and protections. 


While the intended outcomes identified in the Functions, Categories, and Subcategories are the 
same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS 
have a direct effect on the physical world, including potential risks to the health and safety of 
individuals, and impact on the environment. Additionally, ICS have unique performance and 
reliability requirements compared with IT, and the goals of safety and efficiency must be 
considered when implementing cybersecurity measures. 


For ease of use, each component of the Framework Core is given a unique identifier. Functions 
and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories 
within each Category are referenced numerically; the unique identifier for each Subcategory is 
included in Table 2. 


Additional supporting material relating to the Framework can be found on the NIST website at 


http://www.nist.gov/cyberframework/. 
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Table 1: Function and Category Unique Identifiers 


Function Catesory 






Unique Function Unique Category 
Identifier Identifier 


Asset Management 
Business Environment 
Governance 
Risk Assessment 
| DRM | Risk Management Strategy 
l Access Control 
Awareness and Training 
Protect Dati oecunty 
Information Protection Processes and Procedures 
Maintenance 
Protective Technology 


Anomalies and Events 
Detect DE.CM Security Continuous Monitoring 
DE.DP Detection Processes 





















Identify 





| RSRP | Response Planning 
Communications 
Respond Analysis 
Mitigation 
Improvements 
Recovery Planning 
.. Recover Improvements 
Communications 
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Cybersecurity Framework 


Appendix B: Glossary 


This appendix defines selected terms used in the publication. 


Category 


Critical 
Infrastructure 


Cybersecurity 


Cybersecurity 


Event 


Detect (function) 


Framework 


Framework Core 


Framework 
Implementation 
Tier 


Framework 
Profile 


Function 


The subdivision of a Function into groups of cybersecurity outcomes, 
closely tied to programmatic needs and particular activities. Examples 
of Categories include “Asset Management,” “Access Control,” and 
“Detection Processes.” 


Systems and assets, whether physical or virtual, so vital to the United 
States that the incapacity or destruction of such systems and assets 
would have a debilitating impact on cybersecurity, national economic 
security, national public health or safety, or any combination of those 
matters. 


The process of protecting information by preventing, detecting, and 
responding to attacks. 


A cybersecurity change that may have an impact on organizational 
operations (including mission, capabilities, or reputation). 


Develop and implement the appropriate activities to identify the 
occurrence of a cybersecurity event. 


A risk-based approach to reducing cybersecurity risk composed of 
three parts: the Framework Core, the Framework Profile, and the 
Framework Implementation Tiers. Also known as the “Cybersecurity 
Framework. 


A set of cybersecurity activities and references that are common 
across critical infrastructure sectors and are organized around 
particular outcomes. The Framework Core comprises four types of 
elements: Functions, Categories, Subcategories, and Informative 
References. 


A lens through which to view the characteristics of an organization’s 
approach to risk—how an organization views cybersecurity risk and 
the processes in place to manage that risk. 


A representation of the outcomes that a particular system or 
organization has selected from the Framework Categories and 
Subcategories. 


One of the main components of the Framework. Functions provide the 
highest level of structure for organizing basic cybersecurity activities 
into Categories and Subcategories. The five functions are Identify, 
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Identify (function) 


Informative 
Reference 


Mobile Code 


Protect (function) 
Privileged User 


Recover (function) 


Respond 
(function) 


Risk 


Risk Management 
Subcategory 
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Protect, Detect, Respond, and Recover. 


Develop the organizational understanding to manage cybersecurity 
risk to systems, assets, data, and capabilities. 


A specific section of standards, guidelines, and practices common 
among critical infrastructure sectors that illustrates a method to 
achieve the outcomes associated with each Subcategory. 


A program (e.g., script, macro, or other portable instruction) that can 
be shipped unchanged to a heterogeneous collection of platforms and 
executed with identical semantics. 


Develop and implement the appropriate safeguards to ensure delivery 
of critical infrastructure services. 


A user that is authorized (and, therefore, trusted) to perform security- 
relevant functions that ordinary users are not authorized to perform. 


Develop and implement the appropriate activities to maintain plans for 
resilience and to restore any capabilities or services that were impaired 
due to a cybersecurity event. 


. Develop and implement the appropriate activities to take action 


regarding a detected cybersecurity event. 


A measure of the extent to which an entity is threatened by a potential 
circumstance or event, and typically a function of: (1) the adverse 
impacts that would arise if the circumstance or event occurs; and (ii) 
the likelihood of occurrence. 


The process of identifying, assessing, and responding to risk. 


The subdivision of a Category into specific outcomes of technical 
and/or management activities. Examples of Subcategories include 
“External information systems are catalogued,” “Data-at-rest is 
protected,” and “Notifications from detection systems are 
investigated.” 
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Appendix C: Acronyms 


This appendix defines selected acronyms used in the publication. 


CCS 
COBIT 
DCS 
DHS 


Council on CyberSecurity 

Control Objectives for Information and Related Technology 
Distributed Control System 

Department of Homeland Security . 

Executive Order 

Industrial Control Systems 

International Electrotechnical Commission 
Interagency Report 

International Society of Automation 
Information Sharing and Analysis Center 
International Organization for Standardization 
Information Technology 

National Institute of Standards and Technology 
Request for Information 

Risk Management Process 

Supervisory Control and Data Acquisition 
Special Publication 
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Introduction 


In the past few years, we have seen significant breaches in cybersecurity which could 
affect critical U.S. infrastructure. Data on the nation's weakest dams, including those which 
could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants' 
confidential cybersecurity plans have been left unprotected. Blueprints for the technology 
undergirding the New York Stock Exchange were exposed to hackers. 


Examples like those underscore for many the importance of increased federal 
involvement in protecting the nation's privately-owned critical infrastructure. But for one thing: 
Those failures aren't due to poor practices by the private sector. All of tbe examples below were 
real lapses by the federal government. 


e The Nuclear Regulatory Commission stored sensitive cybersecurity details for nuclear 
plants on an unprotected shared drive, making them more vulnerable to hackers and 
cyberthieves. 


e The Securities and Exchange Commission routinely exposed extremely sensitive data 
about the computer networks supporting the New York Stock Exchange, including 
NYSE’s cybersecurity measures. The information the SEC exposed reportedly could be 
extremely useful to a hacker or terrorist who wanted to penetrate the market’s defenses 
and attack its systems. 


e Last January, hackers gained access to U.S. Army Corps of Engineers computers and 
downloaded an entire non-public database of information about the nation’s 85,000 dams 
— including sensitive information about each dam’s condition, the potential for fatalities 
if breached, location and nearest city.! 


e Last February, hackers reportedly broke into the national Emergency Broadcast System, 
implemented by the Federal Emergency Management Agency (FEMA) and the 
Federal Communications Commission (FCC) as the federal government's tool to 

address Americans in case of a national emergency. The hackers caused television 
stations 1n Michigan, Montana and North Dakota to broadcast zombie attack warnings. 
“Civil authorities in your area have reported that the bodies of the dead are rising from 
their graves and attacking the living," an authoritative voice stated in the hacked 
broadcast message, while the familiar warning beep sounded. *Do not attempt to 
approach or apprehend these bodies as they are considered extremely dangerous.”? 


! Senate HSGAC Minority Staff briefing with U.S. Army Corps of Engineers officials, May 3, 2013. 
? “Local Station Breaks Into Programming With Emergency Zombie Apocalypse Alert," Mediaite.com, 
Ji ‘ : : : : 





hitp://www.fec.gov/guides/ emergency-alert-system-eas. 
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e Last March, hackers exploited a vulnerability on web servers belonging to the National 
Institute of Standards and Technology (NIST), the federal government’s authority for 
federal and private-sector cybersecurity. The servers, which hosted the federal 
government’s database of known software vulnerabilities, had to be taken out of service 
for several days.” 


In addition, hackers have penetrated, taken control of, caused damage to and/or stolen 
sensitive personal and official information from computer systems at the Departments of 
Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the 
Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; 
the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. 
Copyright Office; and the National Weather Service, according to public reporting." 


These are just hacks whose details became known to the public, often because the 
hackers themselves announced their exploits. Largely invisible to the public and policymakers 
are over 48,000 other cyber “incidents” involving government systems which agencies detected 
and reported to DHS in FY 2012.° And one cannot ignore the universe of other intrusions that 
agencies could not detect: civilian agencies don’t detect roughly 4 in 10 intrusions, according to 
testing reported in 2013 by the White House Office of Management and Budget.° 


While cyber intrusions into protected systems are typically the result of sophisticated 

_ hacking, they often exploit mundane weaknesses, particularly out-of-date software. Even though 
they sound boring, failing to install software patches or update programs to their latest version 
create entry points for spies, hackers and other malicious actors. Last July, hackers used just that 
kind of known, fixable weakness to steal private information on over 100,000 people from the 
Department of Energy. The department’s Inspector General blamed the theft in part on a piece 


* Goodin, Dan, “National Vulnerability Database taken down by vulnerability-exploiting hack,” Ars Technica, 
March 14, 2013, http: hni m/ /2013/03/ Inerabili b. k 
vulnerability-exploiting-hack/, accessed January 13, 2014. 

^ Reported incidents compiled by the Senate Committee on Commerce, 2013; Mose Paul, “The 
Alang Trend of Cybersecurity Breaches and Failures in the U.S. Government Continues," Heritage Foundation, 











continue S CERE Tahünry 13, 2014; Ryan, Jason, *Anonymous Hits Federal Reserve in Hack Attack," 
: /blogs/politics/2013 


ABCNews.com, Feb. 6, 2013, http: 
hack-attack/, accessed January 13, 2014; Lennon, Mike, “NASA Inspector General Said Hackers Had Full 








Functional Control Over NASA Networks," SecurityWeek, March 3, 2012, http://www.securityweek.com/nasa- 


inspector-general-said-hackers-had-full-functional-cóntrol-over-nasa-networks, January 13, 2014; Lowenson, Josh, 
Lawmakers ask for deeper look into FDA security hack,” TheVerge.com, Dec. 9, 2013, 
‚th 





accessed January 13, 2014. 
5«Fiscal Year 2012 Report to Congress on the Implementation of The Federal Information Security 
Management Act of 2002," Office of Management and Budget, March 2013, p. 17, 
http://www.whitehouse.gov/sites/default/files/omb/assets/egov docs/fy12 fisma.pdf, accessed January 13, 2014. 
* “Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information Security 
Management Act of 2002," Office of Management and Budget, March 2013, p. 30: Across 22 agencies, “on average 
the NOC/SOC [Network Operations Center/Security Operations Center] was 6396 effective at detecting incidents." 


http://www. whitehouse. gov/sites/default/files/omb/assets/egov_docs/fyl2_fisma.pdf, accessed January 13, 2014. 
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of software which had not been updated i in over two years, even though the department had 
purchased the upgrade.” 


The President's Order 


In February 2012, President Obama unveiled an executive order to protect the nation 
from debilitating cyberattacks. The president's order addresses the security of computers and 
networks which run the nation's commercially-owned critical infrastructure. Already, agencies 
are drawing up plans and working with the private sector to implement the president's directive. 


It is appropriate for the White House to envision a federal role in protecting privately- 
owned infrastructure, particularly when that infrastructure undergirds the nation's economy and 
society. However, for the country's citizens and businesses to take the government's effort 
seriously, the federal government should address the immediate danger posed by the insecurity 
of its own critical networks. 


Over more than a decade, the federal government has struggled to implement a mandate 
to protect its own IT systems from malicious attacks. As we move forward on this national 
strategy to boost the cybersecurity of our nation's critical infrastructure, we cannot overlook the 
critical roles played by many government operations, and the dangerous vulnerabilities which 
persist in their information systems. 


Federal Information Security Management Act (FISMA) 


Eleven years ago, Congress passed and the White House approved legislation to 
strengthen the federal government's own computers and networks." The law, known as the 
Federal Information Security Management Act (FISMA), requires agencies to develop, 
document, and implement information security programs which meet certain specifications. As 
Congress again contemplates a major cybersecurity effort, it may be advisable to evaluate how 
the federal effort has fared. For one thing, FISMA could benefit from reforms of its own. But 
more importantly, its history can hold clues to the federal government's ability to effectively 
mandate and enforce cybersecurity standards. 


Since 2006, the federal government has spent at least $65 billion on securing its 
computers and networks, according to an estimate by the Congressional Research Service.!! The 
National Institute of Standards and Technology (NIST), the government's official body for 


? Goodin, Dan, *How hackers made minced meat out of the Department of Energy networks," Ars Technica, 
Dec. 16, 2013, http: 
networks/, accessed January 13, 2014. 
: "Executive Order — Improving Critical Infrastructure Cybersecurity,” White House, February 12, 2013, 
13/02/12/ ti d 











en accessed January 13, 2014. 
? «Federal Information Security Management Act of 2002,” enacted as Title III of the E-Government Act of 
2002 (Pub. L. 107-347). 
10 «FISMA: Detailed Overview,” NIST, http://csrc.nist.gov/groups/SM A/fisma/overview.htm], accessed 
January 13, 2014. 
H Congressional Research Service, Memo to HSGAC Minority Staff, “FISMA Spending, Historical Trends,” 
June 6, 2013. 


280 





MAT A BMI-1-11e_12.pdf, Blatt 285 


281 


setting cybersecurity standards, has produced thousands of pages of precise guidance on every 
significant aspect of IT security. And yet agencies — even agencies with responsibilities for 
critical infrastructure, or vast repositories of sensitive data — continue to leave themselves 
vulnerable, often by failing to take the most basic steps towards securing their systems and 
information. 


Methodology 


This report draws on more than 40 audits and other reviews by agency inspectors general, 
including mandated annual FISMA audits for nearly a dozen agencies, as well as open-source 
reporting on cybersecurity and federal agencies. In addition, staff interviewed officials from 
offices of inspectors general (OIGs) about their cybersecurity work. 


Due to the sensitivity of the topic, drafts of this report were shared with relevant OIGs to 
confirm no sensitive non-public information was inadvertently included which could harm 
federal cybersecurity efforts. 
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Department of Homeland Security 


In 2010, the Administration tasked the Department of 
Homeland Security to lead the federal government’s efforts to 
secure its own computers. 


Since it was selected to shoulder the profound 
responsibility of overseeing the security of all unclassified 
federal networks, one might expect DHS’s cyber protections 
to be a model for other agencies, or that the department had 
demonstrated an outstanding competence in the field. But a closer look at DHS’s efforts to 
secure its own systems reveals that the department suffers from many ofthe same shortcomings 
found at other government agencies. 





In August 2010 — just one month after a White House directive gave DHS responsibility 
for the cybersecurity of all federal government networks — the DHS Inspector General found 
that the DHS computer security experts who would fulfill that directive had serious cyber 
vulnerabilities in their own systems. The IG found hundreds of vulnerabilities on the DHS cyber 
team’s systems, including failures to update basic software like Microsoft applications, Adobe 
Acrobat and Java," the sort of basic security measure just about any American with a computer 
has performed. 


Weaknesses at DHS are not confined to its own cybersecurity office. IT security 
vulnerabilities exist throughout DHS and its component agencies. Although it has steadily 
improved its overall cybersecurity performance, DHS is by no means a standard-setter. In fact, in 
some key areas DHS lags behind many of its agency peers. For instance, in 2013 OMB found 
DHS rated below the government-wide average for using anti-virus software or other automated 
detection programs encrypting email, and security awareness training for network users.” 


In 2013, OMB set a goal for government agencies to send at least 8896 of all internet 
traffic through special secure gateways, known as Trusted Internet Connections (TICs). It set a 
goal for DHS of 95 percent. The Department's Inspector General reported last November DHS 
failed to meet either goal. Just 72 percent of DHS internet traffic passed through TICs, the IG 
stated. It should be noted that DHS is responsible for the administration's efforts to consolidate 
federal internet traffic through TICs. 4 





12 “DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems," DHS Office of 
Inspector General, August 2010, http://www.oig.dhs.gov/asset/Mgmt/OIG 10-111 Augl0.pdf, accessed January 
13, 2014. 

«Fiscal Year 2012 Report to Congress on the Implementation of Tbe Federal Information Security 
Management Act of 2002," Office of Management and Budget, March 2013, pp. 31-35, 


http://www, whitehouse. gov/sites/default/files/omb/assets/egov docs/fy12 fisma.pdf, accessed January 13, 2014. 


14 «QIG-14-09: Evaluation of DHS’ Information Security Program for Fiscal Year 2013," DHS Office of 
Inspector General, November 2013, pp. 3, 15, http://www.oig.dhs.gov/assets/M gmt/2014/01G 14-09 Nov13.pdf, 


accessed January 13, 2014. DHS has claimed its TIC consolidation numbers have improved since then. 
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Repeated failure to install software updates and security patches. In 2012, the IG 
found vulnerabilities arising from missing patches on computers at the National Protection and 
Programs Directorate (NPPD), which houses the bulk of DHS's cybersecurity efforts; on servers 
supporting U.S. Secret Service intelligence work; on computers supporting ICE Homeland 
Security Investigations' Intelligence Fusion Systems, a powerful system allowing agents to query 
several sensitive databases; and on dozens of servers supporting TSA's Transportation Worker 
Identification Credential (TWIC) program, which keeps biometric information and credentials 
for over two million longshoremen, truckers, port employees, mariners and others. '? 


Sensitive databases protected by weak or default passwords.'^ At NPPD, which 
oversees DHS's cybersecurity programs, the IG found multiple accounts protected by weak 
passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster 
deployment readiness and generates other reports accessing Personally Identifying Information 
(PID," the IG found accounts protected by "default" passwords, and improperly configured 
password controls. '* 


Computers controlling physical access to DHS facilities whose antivirus software 
was out of date. Twelve ofthe 14 computer servers the IG checked in 2012 had anti-virus 
definitions most recently updated in August 2011. Several of the servers also lacked patches to 
critical software components. 


Websites with known types of vulnerabilities which could allow a hacker to hijack 
user accounts, execute malicious scripts, or access sensitive information.” Public websites 
for CBP, FEMA, ICE and even NPPD, home of US-CERT held flaws which could allow 
unauthorized access, the IG found in 2012. Notably, several vulnerabilities were found in the 


DHS website “Build Security In" (http://www.buildsecurityin.us-cert.gov).?! DHS developed the 


site to encourage software developers “to build security into software in every phase of its 
development."? 


Poor physical and information security. Independent auditors physically inspected 
offices and found passwords written down on desks, sensitive information left exposed, unlocked 


5 rTDashboard, “TSA — Transportation Worker Identification Credential (TWIC)," 
http://www. .itdashboard.gov/investment?buscid-170; TWIC Deployment Website, 
http://www.twicinformation.com/twicinfo/, accessed January 13, 2014; information provided by DHS Office of 
Inspector General. 

g Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the 
organization's name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards 
and Technology. NIST, “Guide to Enterprise Password Management (Draft), Special Publication 800-118," April 


2009, http://esre.nist.gov/publications/PubsDrafts.htm1#SP-800-1 18, accessed January 13, 2014. 
HW "Privacy Impact Assessment for the Operational Data Store (ODS) and Enterprise Data Warehouse (EDW),” 


June 29, 2012, http//www.dhs.gov/xlibrary/assets/privacy/privacy pia fema ods edw 20120629.pdf, accessed 
January 13, 2014. 

'* Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 

'? Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 

Evaluation of DHS’ Information Security Program for Fiscal Year 2012,” DHS Office of Inspector General, 


October 2012, http://www.oig.dhs.gov/assets/Mgmt/2013/0IG 13-04 Oct12.pdf, accessed January 13, 2014. 
?! Information provided to HSGAC by DHS Office of Inspector General, February 14, 2013. 


? «Build Security In," https://buildsecurityin.us-cert.gov/bsi/home.htm]l, accessed January 13, 2014. 
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laptops, even credit card information. To take just one example, weaknesses found in the office 
of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For 
Official ‚Use Only) documents left out, three keys, six unlocked laptops — even two credit cards 
left out.” 


?5 «Information Technology Management Letter for the Immigration and Customs Enforcement Component of 
the FY 2012 Department of Homeland Security Financial Statement Audit,” DHS Office of Inspector General, Apal 


2013, http://www.oig.dhs.gov/assets/Mgmt/2013/0IG 13-60 Apr13.pdf, accessed January 13, 2014. 
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Nuclear Regulatory Commission 


The Nuclear Regulatory Commission (NRC) maintains volumes 
sensitive, detailed documentation on nuclear facilities. The design and 
security plans of every nuclear reactor, waste storage facility, and uranium 
processing facility in the United States; records on every individual licensed 
to operate or supervise nuclear reactors; and information on the design and 
process of nuclear material transport all live on the NRC's systems. 





i $9 
eek 
Unauthorized disclosure of such sensitive, non-public information “could result in 
damage to the Nation's critical infrastructure," including nuclear power plants, according to the 
NRC's Inspector General.” Unfortunately, the NRC regularly experiences unauthorized 
disclosures of sensitive information, or fails to apply adequate measures to protect that data. 


Perceived ineptitude of NRC technology experts. There is such “a general lack of 
confidence" in the NRC's information technology division that NRC offices have effectively 
gone rogue — by buying and deploying their own computers and networks without the knowledge 
or involvement of the department's so-called IT experts. Such “shadow IT” systems “can 
introduce security risks when unsupported hardware and software are not subject to the same 
security measures that are applied to supported technologies," the NRC Inspector General 
reported in December 2013. ^ | 


Sensitive data stored on unsecured shared drive. NRC workers improperly stored and 
shared sensitive information on an unsecured network drive, according to a 2011 audit. Among 
the inappropriate data found on the drive: details on nuclear facilities’ cybersecurity programs; 
information on security at fuel cycle facilities; and a Commissioner's passport photo, credit card 
image, home address and phone number.” 


Failure to report security breaches. How often does the NRC lose track of or 
accidentally expose sensitive information to possible release? The NRC can't say, because it has 
no official process for reporting such breaches. Many involve electronic data stored on the 
Commission's computers. Of the 95 security lapses which NRC personnel did report between 
2005 and 2011, at least a third appear to involve NRC’s IT systems.” 


Inability to keep track of computers. The NRC has had trouble keeping track of its 
laptop computers, including those which access sensitive information about the nuclear sites the 





* *Semiannual Report to Congress," Nuclear Regulatory Commission Office of the Inspector General, 
September 30, 2012, http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1415/v25n2/sr1415v25n2. pdf, 
accessed January 13, 2014. : 

25 « Audit of NRC's Information Technology Governance," Nuclear Regulatory Commission Office of the 
Inspector General, December 9, 2013, pp. i, 8, http://pbadupws.nre.gov/docs/ML1334/ML13343 A244.pdf, accessed 
January 13, 2014. 

26 « Audit of NRC's Shared “S” Drive," Nuclear Regulatory Commission Office of the Inspector General, July 


27, 2011, http://pbadupws.nrc.gov/docs/ML1120/ML112081653.pdf, accessed January 13, 2014. 


27 «Audit of NRC's Protection of Safeguards Information," Nuclear Regulatory Commission Office of the 


Inspector General, April 16, 2012, http://pbadupws.nre. gov/docs/ML1210/ML12107A048.pdf, accessed January 13, 
2014. 





MAT A BMI-1-11e_12.pdf, Blatt 290 


10 


commission regulates.” Confusion over laptops' documentation and authorization “could lead to 
unauthorized use of NRC resources or release of sensitive information," the NRC OIG warned in 
2012.” 


General Sloppiness. Federal guidelines are clear: when an agency identifies a weakness 
inits IT security, officials must record the problem, find a way to fix it, and assign themselves a 
deadline for completion. As officials make progress and the weakness is eventually remedied, 
officials are supposed to update their records. Without that basic system in place, neither the 
agency nor the administration can tell if vulnerabilities are being addressed. 


Yet just about every aspect of that process appears to be broken at the NRC. Problems 
were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes 
were recorded as complete when they were not. In 2012, the IG reported the NRC was “not 
effective at monitoring the progress of corrective efforts relative to known weaknesses in IT 
security controls." Last November, a year later, the IG found that nothing had changed, and 
that the NRC’s efforts “are still not effective at monitoring the progress of corrective efforts ... 
and therefore do not provide an accurate measure of security program effectiveness."?! 





?® «Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 
(FISMA) for Fiscal Year 2012," Nuclear Regulatory Commission Office of the Inspector General, November 8, 
2012, pp. 5-6, http://pbadupws.nre.gov/docs/ML] 231/ML12313A195.pdf, accessed January 13, 2014. 

?? «Information of Security Risk Evaluation of Region II — Atlanta, GA," Nuclear Regulatory Commission 
Office of the Inspector General, August 27, 2012, p. 10, http://www.nrc.gov/reading-rm/doc-collections/insp- 


gen/2012/oig-12-a-17.pdf, accessed January 13, 2014. 
" "Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act 


(FISMA) for Fiscal Year 2012," Nuclear Regulatory Commission Office of the Inspector General, November 8, 
- 2012, http://pbadupws.nre.gov/docs/ML1231/ML12313A195.pdf, accessed January 13, 2014. 

?! «Independent Evaluation of NRC's Implementation of the Federal Information Security Management Act for 
Fiscal Year 2013," Nuclear Regulatory Commission Office of Inspector General, November 22, 2013, 


http://pbadupws.nrc.gov/docs/ML1332/ML13326A090.pdf, accessed January 13, 2014. 
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Internal Revenue Service 


The Internal Revenue Service (IRS) collects federal taxes owed by 
any person or business in the United States, and its computers hold more 
sensitive data on more Americans than those of perhaps any other federal 
component. In addition to traditional records on employment, income and 

identifier information, the IRS reportedly collects a huge volume of 
personal information on Americans' credit card transactions, eBay 
activities, Facebook posts and other online behavior. ?? 





Unfortunately, the IRS has struggled with the same serious Cybersecurity issues for years, 
and has moved too slowly to correct them. 


The IRS’ internal watchdog, the Treasury Inspector General for Tax Administration 
(TIGTA), believes data security is the most serious management challenge facing the IRS.” For 
years, the Government Accountability Office (GAO) has also warned IRS its computers are not 
safe — that in fact, they are dangerously vulnerable to intrusion and data theft." 


Every year since 2008, GAO has identified about 100 cybersecurity weaknesses at the 
IRS which compromise the agency's computers and data, often repeating weaknesses it cited the 
previous year.” Every year, the IRS claims to fix about half of them, but GAO says even those 
disappointing numbers aren't right, because IRS doesn't confirm the actions they take actually 
fix the problems.”® And every year, GAO returns and finds around 100 problems with IRS’ 
cybersecurity.*” 


Fails to encrypt sensitive data. IRS routinely fails to encrypt its data — converting 
sensitive data into complex code, making it difficult to read without a key to de-encrypt the 








a Satran, Richard, “IRS High-Tech Tools Track Your Digital Footprints,” U.S. News and World Report, April 4, 
2013, http:// .usnews.com/money/personal-finance/mutual-funds/articles/ 4/04/irs-hi 
your-digital-footprints, accessed January 13, 2014. 

? «Management and Performance Challenges Facing the Internal Revenue Service for Fiscal Year 2014,” 
Treasury Inspector General for Tax Administration, November 8, 2013, i 
http://www. treasury.gov/tigta/management/management fy2014.pdf, accessed January 13, 2014. 

* «INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, March 2013, http://www.gao. gov/assets/660/653086.pdf, accessed January 13, 
2014; “INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial Reporting and 
Taxpayer Data,” Government Accountability Office, March 2012, http://www. gao. gov/assets/590/589399 pdf, 
accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs to Enhance Internal Control over Financial 
Reporting and Taxpayer Data,” Government Accountability Office, March 2011, 
http://www.gao.gov/assets/320/316569.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs 
to Continue to Address Significant Weaknesses,” Government Accountability Office, March 201 0, 
http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; “INFORMATION SECURITY: Continued Efforts 
Needed to Address Significant Weaknesses at IRS,” Government Accountability Office, J anuary 2009, 
http://gao. gov/assets/290/284722.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs to 
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information — or it encrypts the data so weakly that it can be easily decoded.” Since at least 
2009, GAO has repeatedly identified instances where IRS did not properly encrypt sensitive data 
including tax, accounting, and financial information, as well as usernames and passwords. 
Failing to encrypt or weakly encrypting those data makes it easier for a malicious actor to 
download, view, and possibly even change taxpayer information and IRS systems. ?? 


Lousy user passwords. In March 2013, GAO reported that IRS allowed its employees to 
use passwords that "could be easily guessed." Examples of easily-guessed passwords are a 
person's username or real name, the word "password," the agency's name, or simple keyboard 
patterns (e.g., "qwerty"), according to the National Institute of Standards and Technology.^ In 
some cases, IRS users had not changed their passwords in nearly two years." As a result 
someone might gain unauthorized access to taxpayers" personal information and it “would be 
virtually undetectable,” potentially for years." GAO has cited IRS for allowing old, weak 
passwords in every one of its reports on IRS’ information security for the past six years.” 


Officials don’t properly fix known vulnerabilities. IRS employees monitored its 
computers by running programs which flagged vulnerabilities in equipment and software, but 


* "INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, March 2013, p. 10, http://www.gao. gov/assets/660/653086.pdf, accessed 
January 13, 2014; “INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial 
Reporting and Taxpayer Data,” Government Accountability Office, March 2012, p. 9, 
http://www.gao.gov/assets/590/589399 pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs 
to Enhance Internal Control over Financial Reporting and Taxpayer Data,” Government Accountability Office, 
March 2011, p. 9, http://www.gao.gov/assets/320/316569.pdf, accessed January 13, 2014; “INF ORMATION 
SECURITY: IRS Needs to Continue to Address Significant Weaknesses,” Government Accountability Office, 
March 2010, p. 9, http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
Continued Efforts Needed to Address Significant Weaknesses at IRS,” Government Accountability Office, January 
2009, p. 11, http://www. gao. gov/assets/290/284722.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
IRS Needs to Address Pervasive Weaknesses,” Government Accountability Office, January 2008, p. 12, 
http://www. gao.gov/assets/280/270917.pdf, accessed January 13, 2014. 

Ibid. 
“NIST, “Guide to Enterprise Password Management (Draft), Special Publication 800-118," April 2009, 


http://csre.nist.gov/publications/drafts/800-1 1 8/draft-sp800-118.pdf, accessed January 13, 2014. 


* “INFORMATION SECURITY: IRS Has Improved Controls but Needs to Resolve Weaknesses,” 
Government Accountability Office, pp. 7-8, March 2013, http://www.gao.gov/assets/660/65 3086.pdf, accessed 
January 13, 2014. 

?? Ibid. l 

? Ibid; “INFORMATION SECURITY: IRS Needs to Further Enhance Internal Control over Financial 
Reporting and Taxpayer Data," Government Accountability Office, March 2012, p. 7, 
http//www.gao.gov/assets/590/589399.pdf, accessed January 13, 2014; “INFORMATION SECURITY: IRS Needs 
to Enhance Internal Control over Financial Reporting and Taxpayer Data," Government Accountability Office, 
March 2011, p. 7, http://www.gao.gov/assets/320/316569.pdf, accessed January 13, 2014; "INFORMATION 
SECURITY: IRS Needs to Continue to Address Significant Weaknesses," Government Accountability Office, 
March 2010, p. 7, http://gao.gov/assets/310/302087.pdf, accessed January 13, 2014; “INFORMATION SECURITY: 
Continued Efforts Needed to Address Significant Weaknesses at IRS," Government Accountability Office, January 
2009, p. 10, http://www.gao.gov/assets/290/284722.pdf, accessed January 13, 2014; "INFORMATION SECURITY: 
IRS Needs to Address Pervasive Weaknesses," Government Accountability Office, January 2008, p. 10, 


http://www.gao.gov/assets/280/270917.pdf, accessed January 13, 2014. 
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then failed to fix the issues. As a result, scans repeatedly flagged the same vulnerabilities “for 
two or three consecutive months." ^ 


Dangerously slow to install crucial software updates and patches. In March 2012, IRS 
computers had 7,329 "potential vulnerabilities" because critical software patches had not been 
installed on computer servers which needed them. At one point in 2011, over a third of all 
computers at the IRS had software with critical vulnerabilities that were not patched.* IRS 
officials said they expect critical patches to be installed within 72 hours. But TIGTA found it 
took the IRS 55 days, on average, to get around to installing critical patches." Most recently, in 
September 2013, TIGTA re-affirmed that the IRS still “has not yet fully implemented a process 
to ensure timely and secure installation of software patches."^* 





“ “Federal Information Security Management Act Report for Fiscal Year 2012,” Treasury Inspector General for 
Tax Administration, September 28, 2012, pp. 7-8, 


http://www. treasury. gov/tigta/auditreports/20 1 2reports/2012201 14fr.pdf, accessed January 13, 2014. 


^5 «Federal Information Security Management Act Report for Fiscal Year 2012,” Treasury Inspector General for 
Tax Administration, September 28, 2012, http://www treasury.gov/ti gta/auditreports/2012reports/2012201 1 4fr.pdf, 
accessed January 13, 2014. 

"5Federal Information Security Management Act Report for Fiscal Year 2012," Treasury Inspector General for 
Tax Administration, September 28, 2012, p. 7, l 
http://www.treasury.gov/tigta/auditreports/20 1 2reports/201220114fr.pdf, accessed J anuary 13, 2014. 

“ “An Enterprise Approach Is Needed to Address the Security Risk of Unpatched Computers,” Treasury 
Inspector General for Tax Administration, September 25, 2012, p. 10, 
http://www. treasury.gov/tigta/auditreports/20 | 2reports/201220112fr.pdf, accessed J anuary 13, 2014. 

“ «Federal Information Security Management Act Report for Fiscal Year 2013,” Treasury Inspector General for 
Tax Administration, September 27, 2013, p. 7, 


http://www.treasury.gov/tigta/auditreports/20 13reports/201320126fr.pdf, accessed January 13, 2014. 
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Department of Education 


The Department of Education holds and manages $948 
billion in student loans made to more than 30 million borrowers. 
The Department's computers hold volumes of information on 
those borrowers — loan applications, credit checks, repayment 
records and more. ^ 


Given the mammoth store of sensitive information the 
department keeps, it is disappointing that its Inspector General has 
_ said there is little assurance that sensitive data has not been altered 
or stolen from the computer systems which undergird its lending program.” 





"[T]he Department's information is vulnerable to attacks that could lead to a loss of 
confidentiality," the IG concluded. “Also, there is increased risk that unauthorized activities ... 
could reduce the reliability and integrity of Department systems and data."?! 


No review for malicious activity. The Education Department provides remote access to 
student financial data to Department officials who are off-site or teleworking. Those remote 
access accounts can be easily compromised by hackers, who use keylogger malware to steal 
login information from official’s computers by secretly recording their keystrokes. 


In 2011 and 2012, The Education Department's Federal Student Aid (FSA) office 
reported 819 compromised accounts. In only 17 percent of those cases did the Department 
review activity for those accounts to see whether any malicious activity had occurred.” | 
Although the financial data is maintained by outside contractors, some ofthe Department’s 
contracts for those services don't ensure it has access to audit logs for this purpose.” 


In fact, the Education Department failed to ensure the contractor properly protected 
borrowers' sensitive personal and financial information; adequately configured their systems 





US. Department of Education, Office of Federal Student Aid, Annual Report 2012, P- 2, 


http//www2.ed.gov/about/reports/annual/201 2report/fsa-report.pdf, accessed January 13, 2014. 


? Inspector General Tighe testimony before the House Oversight and Government Reform Committee, March 
5, 2013, pages 10-11, http://eq.com/doc/testimony-423083 8#testimony, accessed January 13, 2014. 

?! “The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012,” Office of Inspector General, Department of Education, November 2012, p. 9, 
http://www2.ed. gov/about/offices/list/oig/auditreports/fy2013/al 1m0003.pdf, accessed January 13, 2014. 

3? «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012,” Office of Inspector General, Department of Education, November 2012, p. 10, 
http://www2.ed. gov/about/offices/list/oig/auditreports/fy2013/al 1m0003.pdf, accessed January 13, 2014. 

55 «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012," Office of Inspector General, Department of Education, November 2012, P. 11, 


http://www2.ed.gov/about/offices/list/oig/auditreports/fy2013/a] 1m0003.pdf, accessed January 13, 2014. 
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with security measures; identified and corrected flaws in their IT system; or gosguately managed 
configuration settings and patching updates.?* 


Unsecure networks. Stealing login data wasn't the only way for hackers to potentially 
compromise the Department's network infrastructure. In 2011, 2012 and 2013, auditors were 
able to connect a “rogue” computer and other hardware to the Education Department's networks 
without being noticed. This same access could allow a hacker to drop into the network 
environment behind the firewalls and other perimeter security.” 


In June 2013, when its auditors succeeded with this same “rogue” penetration test, they 
were even able to access sensitive data stored in the department's networked printers “which 
could be used in a possible social engineering attack.” *° 


Vulnerable user accounts. Hundreds of user accounts employed passwords that had not 
been changed for over 90 days, and many which had not been changed in over a year, the 
Inspector General found. The Department also failed to deactivate accounts which had been 
dormant for 90 days. Both are violations of the Department's own policies, meant to protect 
against unauthorized access by malicious actors, including hackers and ex-employees.”’ Also, 
while the Department had distributed authentication tokens to many of its employees — which is 
required by DHS and OMB guidance — fewer than half were activated for use, the OIG found.”® 


= "Security Controls for Data Protection over the Virtual Data Center (Plano, TX)," Office of Inspector 
General, Department of Education, September 2010, p. 2, 


http://www2.ed.sov/about/offices/list/oig/auditreports/fy2010/al 1j0006.pdf, accessed January 13, 2014. 


55 «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2012," Office of Inspector General, Department of Education, November 2012, p. 8, 


http://www2.ed.gov/about/offices/list/oig/auditreports/fy2013/al 1 m0003.pdf, accessed January 13, 2014. 


°° «The U.S. Department of Education's Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, p. 10. 
http: I WW. ed.gov/about/offices/list/oig/auditreports/fy2014/a1 1n0001.pdf, accessed January 13, 2014. 
°7 «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, pp. 12-13, 
http//www2.ed.gov/about/offices/list/oig/auditreports/fy2014/a1 1n0001.pdf, accessed January 13, 2014. 
°® «The U.S. Department of Education’s Compliance with the Federal Information Security Management Act of 
2002 for Fiscal Year 2013," November 2013, p. 24, 


http://www2.ed. gov/about/offices/list/oig/auditreports/fy2014/al 1n0001.pdf, accessed January 13, 2014. 
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Department of Energy 


The many agencies and offices ofthe sprawling Department of 
Energy touch nearly every aspect of the nation's energy infrastructure, 
from generation to transmission and transportation, commercial 
exchange, research and more. Given how critical its operations are to the 
national economy and security, one might expect its technology to be 
more securely protected than most other agencies. 





Instead, a close inspection shows the Energy Department's cybersecurity suffers from 
many of the same basic vulnerabilities and weaknesses found at other federal institutions, which 
increase the risk that the department's systems could be hacked, and even brought down.?? 
Indeed, in January 2013 hackers reportedly compromised 14 servers and 20 workstations, and 
made off with personal information on hundreds of government and contract employees, and 
possibly other information.) And last July, hackers made off with personal information for 
104,000 past and present employees.‘' 


. Widespread weaknesses at power distribution agency. In October 2012, the Energy IG 
released an alarming report on cybersecurity weaknesses at the Western Area Power 
Administration, which markets and delivers wholesale electricity to power millions of homes and 
businesses through 15 central and western states. ^Nearly all" of the 105 computers tested had at 
least one out-of-date patch; a public-facing server was configured with a default name and 
password, which *could have allowed an attacker with an Internet connection to obtain 
unauthorized access to an internal database supporting the electricity scheduling system." What's 
more, officials at the agency “did not always identify and correct known vulnerabilities." One 
reason the IG cited: although officials ran vulnerability checks on their IT systems, they ran “less 
intrusive” scans so as not to slow overall system performance. But those lightweight scans 
sometimes missed significant weaknesses. 


Weak usernames, passwords, and other access controls. The Energy Department's 
Inspector General found during a 2012 review over a quarter of the sites examined had weak 





°° «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 2-3, http://energy.gov/sites/prod/files/IG-0877.pdf, accessed 
January 13, 2014. 
60 Perlroth, Nicole, “Energy ae Is the Latest Victim of an Online Attack,” New York Times, February 
: A 2013/02 k/ 





accessed January 13, 2014. 
6! Goodin, Dan, “How hackers made minced meat out of the Department: of Energy networks,” Ars Technica, 


Dec. 16, 2013, http: 
networks/, accessed January 13, 2014. 
62 « Audit Report: Management of Western Area Power Administration's Cyber Security Program," Department 


of Energy Office of the Inspector General, October 2012, pp. 1-2, http://energy.gov/sites/prod/files/IG-0873.pdf, 
accessed January 13, 2014. 
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access controls. The problems included weak usernames and passwords; accounts with improper 
access; and a server with insufficient security to prevent it from being remotely controlled.” 


Failure to apply critical patches and updates to software. In 2013, the IG found that 
41 percent of the Department's desktop computers auditors examined were running operating 
systems or applications which had known vulnerabilities that were not patched, even though the 
software developers had made patches available.™ In 2012, the IG's team found 41 network 
servers running operating systems that were no longer supported by the developer, meaning that 
even when vulnerabilities were discovered in the system, no patch would be made available. 


Vulnerable web applications. Several Department web applications had weak security, 
increasing the risk a hacker could gain unauthorized access to sensitive systems and obtain 
information, add or change data, or inject flaws or malicious code, the IG found. The 
weaknesses included the sorts which are considered the most commonly exploited vulnerabilities 
for web applications. 


Unprotected servers. Eleven servers checked by the OIG last year had no password 
protections or default/weak passwords, meaning an attacker could gain access to the systems, 
.and could use them to attack other systems on the Department's network. One of the 
unprotected machines the OIG found was a payroll server, which was configured to allow remote 
access to anyone, without a username or password.” 


$ «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 2-3, http://energy.gov/sites/prod/files/IG-0877.pdf, accessed 
January 13, 2014. 

$^ «Evaluation Report: The Department of Energy's Unclassified Cyber Security Program — 2013," Department 
of Energy Office of the Inspector General, October 2013, http://enerey. gov/sites/prod/files/2013/11/f4/1G-0897.pdf, 
accessed January 13, 2014. 

$5 «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012,” Department of Energy 
Office of the Inspector General, November 2012, pp. 3-4, http://energy.gov/sites/prod/files/1G-0877 pdf, accessed 
January 13, 2014. 

$6 «Evaluation Report: The Department's Unclassified Cyber Security Program — 2012," Department of Energy 
Office of the Inspector General, November 2012, pp. 4-5, http://energy.gov/sites/prod/files/IG-0877.pdf, accessed 
January 13, 2014. 

*' «Evaluation Report: The Department of Energy's Unclassified Cyber Security Program — 2013," Department 
of Energy Office of the Inspector General, October 2013, http://energy.gov/sites/prod/files/2013/11/f4/1G-0897 pdf, 
accessed January 13, 2014. 
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Securities and Exchange Commission 


Over the last two decades, financial markets have become 
increasingly reliant on technology to handle the expanding volume of their 
business. Today, exchanges like the New York Stock Exchange process 
millions of trades a day electronically. 





In response, the Securities and Exchange Commission (SEC) 
developed a dedicated team within its Trading and Markets Division to keep an eye on how 
markets build and manage key trading systems. Among the division's duties is ensuring markets 
safeguard their systems from hackers and other malicious cyber intruders. 


But a 2012 investigation into the team found conduct which did not reflect a concern for 
security. Team members transmitted sensitive non-public information about major financial 
institutions using their personal e-mail accounts.°® They used unencrypted laptops to store 
sensitive information, in violation of SEC policy — and contravening their own advice to the 
stock exchanges. Their laptops also lacked antivirus software." The laptops contained 
“vulnerability assessments and maps and networking diagrams of how to hack into the 
exchanges," according to one SEC official.”! 

The investigation also found that members of the team took work computers home in 
order to surf the web, download music and movies, and other personal pursuits.” They also 
appeared to have connected laptops containing sensitive information to unprotected wi-fi 
networks at public locations like hotels — in at least one reported case, at a convention of 
computer hackers.” 


$ Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, http://www.sec-oig.gov/Reports/OOI/2012/0IG-557.pdf, accessed June 10, 2013; Lynch, Sarah N., “U.S. 


SEC staffers used govn’t computers for personal use,” November 9, 2012, . 
http://www.reuters. com/article/2012/11/09/sec-cyber-report-id USL1E8M9CMI20121109, accessed January 13, 
2014. 

e? Lynch, Sarah N., "EXCLUSIVE: SEC left computers vulnerable to cyber attacks," Reuters, November 9, 
2012. 

7 "Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General Aug. 30, 


2012, P: 3, http://www.sec-oig.gov/Reports/OOU2012/01G-557.pdf, accessed January 13, 2014. 
7 Lynch, Sarah N., "NYSE hires ex-homeland security chief after SEC security lapse," Reus November 16, 


2012, http://www.reuters.com/article/2012/11/16/sec-cyber-nyse-idUSL1 ESMG95K20121116, accessed January 13, 
2014. 

72 "Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, P 24, http://www.sec-oig.gov/Reports/OOI/2012/OIG-557.pdf, accessed January 13, 2014. 
® Lynch, Sarah N., “U.S. SEC staffers used govn't computers for personal use," November 9, 2012, 


http://www.reuters. com/article/2012/ 11/09/sec-cyber-report-idUSLIE8M9CMI20121109, accessed January 13, 
2014. 
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The investigation also found that while SEC policy prohibited employees from accessing 
personal e-mail from web-based sites like Gmail, SEC officials in the division arranged to access 
an internet-connected network which did not block such sites.’* These employees also brought in 
their own personal computers and connected them to the SEC's network." And for a period of 
several months, the team’s network had no firewall or intrusion protection software running." 
All of these practices increased the risk of introducing viruses and other malware to SEC 
computers, and potentially compromised sensitive data about the cybersecurity of securities 
exchanges, not to mention the SEC's own protections.” 


7 "Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.31, http://www.sec-oig.gov/Reports/OOI/2012/OIG-557.pdf, accessed January 13, 2014. 

?5 “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets," Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.35, http://www.sec-oig.gov/Reports/OO]/2012/01G-557.pdf, accessed January 13, 2014. 

® “Investigation Into Misuse of Resources and Violations of Information Technology Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 
2012, p.34, http://www.sec-oig.gov/Reports/OOI/2012/OIG-557.pdf, accessed January 13, 2014. 

7 “Investigation Into Misuse of Resources and Violations of Information Technolo gy Security Policies Within 
the Division of Trading and Markets,” Securities and Exchange Commission Office of Inspector General, Aug. 30, 


2012, p.30, http://www.sec-oig.gov/Reports/OOI/2012/01G-557.pdf, accessed January 13, 2014. 
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Dokument 2014/0103635 
Von: Dürig, Markus, Dr. 
Gesendet: Sonntag, 2. März 2014 21:23 
An: Treib, Heinz Jürgen; Gitter, Rotraud, Dr.; RegiT3- 
Cc: Mantz, Rainer, Dr. 
Betreff: WG: Gespräch CA-B / chris Painter am 28.2.14 
Anlagen: 140228 Vm Gesprách CA-B Painter.doc 


Zk -da kommt Arbeit auf uns zu. 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innem 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 


email:markus.duerig@bmi.bund. de | 


Von: Schallbruch, Martin 

Gesendet: Sonntag, 2. März 2014 09:44 

An: Schwärzer, Erwin; Dürig, Markus, Dr. 

Cc: Batt, Peter 

Betreff: WG: Gespräch CA-B / chris Painter am 28.2.14 


Gesendet von meinem BlackBerry 10-Smartphone. 


Von: .WASH POL-S1 Neuhaeusler, Katja <pol-s1@wash.auswaertiges-amt.de> 
Gesendet: Freitag, 28. Februar 2014 21:28 

An: Schallbruch, Martin 

Betreff: WG: Gesprách CA-B / chris Painter am 28.2.14 


Lieber Herr Schallbruch, 

anbei Vorab-Info, da offizielle Verteilung sicher erst am Montag erfolgen wird. 

Werde n Woche auf BMI u BMWI zugehen. Wen in Ihrer Abt kann ich als Point of Contact 
anspr ?. 

Lg, Dirk b 


Betreff: Gesprách CA-B / chris Painter am 28.2.14 


KSCA: 
bitte verteilen, 
LG, Dirk B 
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Anhang von Dokument 2014-0103635.msg 


1. 140228 Vm Gespräch CA-B Painter.doc 2 Seiten 
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BOTSCHAFT WASHINGTON 28. Februar 2014 
Pol 360.00/Cyber 
Verf: Brengelmann/ Prechel 


Vermerk 


Betr: Transatlantischer Cyber-Dialog 


hier: Gespräch CA-B Brengelmann mit Cyberkoordinator im State Department Painter am 28. 
Februar 2014 in Washington 


Teinehmer: Christopher Painter, Michelle Markoff (Deputy Coordinator), Thomas Dukes (Senior 
Advisor) CA-B, ARin Prechel 


Aus dem Gespräch st festzuhalten: 


1. Transatlantischer Cyber Dialog 


‘ CA-Beerluterte sein Verständnis der Vereinbarung von BM Steinmeier und AM Kerry am Vortag, 
Im Kontext (back-to-back) der nächsten reguliren Cyber-K onsultationen in Berlin (im Mai/Juni, 
nach Internet Governance Konferenz in Brasilien und Konferenz der Freedom Online Coalition in 
Talnn) soll ein offener Cyber-Dialogprozess mit Vertretern aus Wissenschaft, Zivilgesellschaft und 
Wirtschaft eröffnet werden. Dieser Prozess sole auch der Rückgewinnung von verbrenem 
Vertrauen durch NSA-Afläre dienen. 


Zum jetzigen Zeitpunkt keine weitere Festlegungen zu Details wie Arbeitsgruppen oder konkretem 
Endprodukt dieses Prozesses. Zentrales Thema solle jeweiliges Verständnis einer „proper balance 
between security and freedom“ sem. Das schließe Fragen wie Privacy und Datenschutz ein. 
Darüber hinaus Austausch zu wirtschaftlichem (Innovations-) Potential (Cloud Computing, Big 
Data) . Daher auch Bezug zur Review von John Podesta zu „Big Data and Privacy“. Ausserdem 
Zusammenarbeit in Fragen der intl Cyber Politik. 


Bei möglichen Teilnehmern solle breiter Ansatz gewählt (andere Ressorts, Wissenschaftler, NGOs, 
Firmen, Verbände...) , Diskussion anhand von Themen strukturiert werden. 


Als , facilitator“ für erste Veranstaltung m Berlin käme zb Stiftung neue Verantwortung (Ben Scott) 
m Frage. 


Chris Painter (P.) begrüßte Verembarung der Minister und machte deutlich, dass US-Seite eine 
erkennbare — auch thematische — Verknüpfung zu den Cyber-Konsultationen anstrebt. P. drückte 
Erwartung aus, dass Fokus des Dialoges nicht zur Überwachungsmafnahmen und Enthüllungen 
lege und eine „highly charged emotional session“ vermieden werde. Dialog solle hingegen das 
Spektrum der Cyber-Themen abbiklen. Zur Frage der Teilnehmer Übereinstimmung mit 
vorgeschlagenem Multistakeholder- Ansatz; keine Einbeziehung von Abgeordneten. U.S. Seite 

 móchte Co-Chairmg durch die beiden Cyber Koordinatoren und keinen „facilitator“, damit 
Zielrichtung und Tonalitát der Dialogveranstaltung zumindestens etwas kontrolliert werden könne. 
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CA-B: Eröffnung der Konferenz öffentlich, Konferenz dann Chatham House. 
In den nächsten Tagen wird CA-B US Seite Termme vorschlagen und weitere Feinabstimmung 
vornehmen. i 


2. Sonstiges 

Jeweils kurzer Austausch zur Vorbereitung der Brasilien-Konferenz und zur Konferenz der 
Freedom Online Coalition, ohne wirkliche neue Erkenntnisse. Bericht Ilves Panel zu IG liege 
eventuell schon bald vor. 


CA-B warb für engagierte Teinahme USA an nächster GGE (Group of Governmental Experts), die 


noch nicht als gesichert gelten darf. P sagte dies zu. USA planten Tutorial für neue GGE-Mitglieder 
im Vorfeld (möglicherweise durch CSIS Ende Mai/Anfang Juni). 


gez. 
Brengelmann 


Verteiler: KS-CA, 010,030, D2, 200,02, 244, BMI (AL IT) , BMWI (AL VD 
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Dokument 2014/0109474 
Von: Gitter, Rotraud, Dr. 
Gesendet: Dienstag, 4. März 2014 10:45 
An: RegIT3 
Betreff: WG: Eiltsehr: LIBE Berichtsentwurf NSA 
Anlagen: moraes 1014703 en.pdf 
Wichtigkeit: Hoch 
Bitte z. VG. 
i.A. 
R. Gitter 


Dr. Rotraud Gitter LL.M. Eur. 
Bundesministerium des Innern 

Referat IT 3 - IT-Sicherheit 

Alt-Moabit 101 D 

10559 Berlin 

Tel: +49-30-18681-1584 

Fax: +49-30-18681-51584 

Von: Jergl, Johann 

Gesendet: Montag, 3. März 2014 11:52 
An: Gitter, Rotraud, Dr. 

Betreff: WG: Eilt sehr: LIBE Berichtsentwurf NSA 
Wichtigkeit: Hoch 


Das müsste im Januar alles gewesen sein. 


————————————— «-— ———— — en ae eh ee 
: Von: Weinbrenner, Ulrich 


Gesendet: Freitag, 17. Januar 2014 16:58 

An: Spitzer, Patrick, Dr. 

Betreff: WG: Eilt sehr: LIBE Berichtsentwurf NSA 
Wichtigkeit: Hoch 


Von: Peters, Reinhard 

Gesendet: Freitag, 17. Januar 2014 16:44 

An: ALOES_; Kaller, Stefan BUM | 
Cc: PStSchröder_; StHaber ; Weinbrenner, Ulrich; Kutzschbach, Gregor, Dr.; OESDAG ; Glaser, Anika 
Betreff: WG: Eilt sehr: LIBE Berichtsentwurf NSA 

Wichtigkeit: Hoch 





("——— Á———— Á————————————ÓsáÀ en de ING 
Von: Weinbrenner, Ulrich 
Gesendet: Freitag, 17. Januar 2014 16:26 
An: Peters, Reinhard 
Cc: PStSchróder ; Kutzschbach, Gregor, Dr.; OESBAG_; StHaber ; ALOES_; Glaser, Anika 
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Betreff: Eilt sehr: LIBE Berichtsentwurf NSA 
Wichtigkeit: Hoch 


Herrn PStS | à 
über 
Frau Stn Haber (mdB um. Billigung auch zur Weiterleitung an St Fritsche) 


~ Herrn ALÓS 
Herrn UVALÖSI PR 17/1 


- wegen Eilbedürftigkeit nur per Email - 


l. Votum 
Es wird die Übersendung der unten stehenden Anregungen für Änderungen amLIBE- 
Berichtsentwurf vorgeschlagen. 


ll. Sachverhalt/Stellungnahme 

Der LIBE-Ausschuss hat auf Grundlage von Expertenbefragungen, Gesprächen mit US- und 
EU-Behórden sowie Zeitungsartikeln einen Bericht zur NSA-Überwachungsprogrammen 
verfasst. Dieser kommt zu dem Schluss, dass die NSA z.T. gemeinsam mit Behórdenin UK, 
Kanada und Neuseeland eine massenhafte Überwachung der elektronischen 
Kommunikation durchführt und dadurch vermutlich auch Rechte von EU-Bürgern und 
Mitgliedstaaten verletzt. Er schlägt ein breites Ma&nahmenbündelvor: Überprüfung und 
Anpassung von Abkommen mit den USA, Stärkung von ENISA, dem Europol -Cybercrime- 
Centerund dem EDPS und diverse Appellean die Kommission und die Mitgliedstaaten. 
Schwerpunktistein ,Digitaler Habeas Corpus", der 7 Punkte beinhaltet: 


1. Abschluss des Datenschutzpakets in 2014 
Stellungnahme: Grds. móglich. Allerdings sind noch eine Vielzahl bedeutender Frage 
zu kláren. Gründlichkeit muss deshalb vor Schnelligkeit gehen. 


2. Abschluss des EU-US-Datenschutzabkommens 
Stellungnahme: Keine Bedenken. Zuständig ist EU-KOM. 


3. Aussetzung des Safe-Harbour-Abkommens 
Stellungnahme: Die Bundesregierung hat sich dafür eingesetzt, zur Verbesseru ng 
von Safe Harbour in der Datenschutz-Grundverordnung einen rechtlichen Rahmen 
zu schaffen. Falls die Datenschutz-Grundverordnung nicht bis 2015 verabschiedet 
werden kann, kann Safe Harbour auch unter der Richtlinie95/46 überarbeitet und 
verbessert werden. Die Frage, ob eine Aussetzung des Safe-Harbour-Abkommens in 
Betracht kommt, wird gemeinsam mit unseren europäischen Partnern in Brüssel 
erórtert. 
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4. Aussetzung des TFTP-Abkommens (betr. Zugang zu SWIFT-Daten zur 
Terrorismusbekämpfung) bis zum Abschluss des Datenschutzabkommens 
Stellungnahme: Angesichts der Tatsache, dass die Kommission nach Abschluss ihrer 
Konsultationen zu den Vorwürfen, die USA hätten unter Umgehung des TFTP- 
Abkommens direkten Zugriff auf den SWIFT-Server genommen, keine An haltspunkte 
für einen Verstoß feststellen konnte, besteht aus unserer Sicht derzeit kein Anlass, 
das Abkommen auszusetzen. 


5. BessererSchutz derRechte von EU-Bürgern (ohne Konkretisierung) 
Stellungnahme: Keine Bedenken. 


6. Entwicklung einer Strategie fiir eine Europáische (unabhangige) IT-Industrie 
Stellungnahme: Zustimmung. Entspricht einer Forderung aus dem Koal itionsvertrag: 
„Um Freiheit und Sicherheit im Internet zu schützen, stärken und gestalten wir die 
Internet-Infrastruktur Deutschlands und Europas als Vertrauensraum. Dazu treten 
wirfür eine europäische Cybersicherheitsstrategie ein, ergreifen Maßnahmen zur 
Rückgewinnung dertechnologischen Souveränität, unterstützen die Entwicklung 
Moderner Staat, innere Sicherheit und Bürgerrechte vertraue nswürdiger IT- und 
Netz-Infrastruktur sowie die Entwicklung sicherer Soft- und Hardware und sicherer 
Cloud-Technologie und begrüßen auch Angeboteeines nationalen bzw. 
europäischen Routings." 


7. EU-Politikals Referenz für demokratische und neutrale Internet-Governance 
Stellungnahme: Keine Bedenken. 


Ul. Stellungnahme im Übrigen: 

Die Schlussfolgerungen überraschen wenig, auch wenn sie teilweise nicht belegt werden 
kónnen, sondern nurauf Vermutungen oder Presseberichte zu rückgreifen. Einige Punkte 
sind aus deutscher Sicht jedoch kritisch und sollten daher gestrichen werden. Im Einzelnen: 


1) S. 16 (Main findings Nr. 2): Der Ausschuss glaubt, dass (neben Frankreich und Schweden) 
auch Deutschland ähnliche Überwachungsprogramme wie PRISM betreibt. Diesem ist 
entschieden entgegenzutreten. Deutsche Behörden dürfen Kommunikationsdaten nur im 
Einzelfall, auf gesetzlicher Grundlage und einerfórmlichen Anordnung erheben. Auch die 
strategische Fernmeldeaufklárung nach 85 Artikel 10 Gesetz ist nur ineng begrenzten Fállen 
aufgrund in der Anordnung vorab festgelegter und nach Anordnung der G10-Kommission 
unter der Kontrolle durch das parlamentarische Kontrollgremium, dass die betroffenen TK- 
Beziehungen zu bestätigen hat, zulässig Zudem sieht § 10 Abs. 4 S. 4G 10 eine 
Beschränkung auf 20 96 des möglichen Aufkommens vor. 


2) S. 19 (Recommendations Nr. 20): Dementsprechend ist auch die Aufforderung an 
Deutschland (neben UK, Frankreich, Schweden und den Niederlanden), seine Gesetzgebung 
zu überprüfen bzw. zu überarbeiten, zu streichen. Die hier einschlágigen Vorschriften 
entsprechen den Vorgaben aus den entsprechenden Urteilen des 
Bundesverfassungsgerichts und sind mit den Grundrechten vereinbar. Unabhängig davon 
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liegt die nationale Sicherheitsgesetzgebung außerhalb der Zuständigkeit der EU und damit 
auch des EP. 


3) S. 24 (Recommendations Nr. 24): Problematisch ist auch die Aufforderung an alle 
Mitgliedstaaten, die unterstellten Verletzungen ihrer Souveränität auch gerichtlich geltend 
zu machen. Es obliegtalleineder Entscheidung des Mitgliedstaats, ob er seine Souveränität 
verletzt siehtund auf welchem Wege er dagegen ggf. vorgehen will. 


Weinbrenner Dr. Kutzschbach 








Von: PStSchröder_ 

Gesendet: Freitag, 10. Januar 2014 11:14 

An: ALOES _ 

Cc: StFritsche ; UALOESI ; StabOESII ; UALGII ; OESI3AG ; MB ; Baum, Michael, Dr.; 
PStSchróder ; AA Eickelpasch, Jórg 
Betreff: LIBE Berichtsentwurf NSA mdB um Stellungnahme bis 17.1. 


Vg. 13/14 
SehrgeehrterHerr Kaller, 


Herr PStS hat den beigefügten Berichtsentwurf von Herrn Voss, MdEP, erhalten. Dies war 
verbunden mit dem Angebot, Anregungen für Änderungsvorschläge einzubringen, die MdEP 
Voss bis 22.1. ggü. LIEBE-Ausschuss einbringen könnte. l 


Vor diesem Hintergrund bittet Herr PStS um Prüfung, Stellungnahme und ggf. weitergabefähige 
Vorschläge für Änderungsanträge bis Freitag, den 17.1. DS ( Eingang Büro PStS). 


Zum Verfahren waren folgende Informationen beigefügt: 


Es handelt sich um den Berichtsentwurf von Berichterstatter Claude Moraes (S&D, UK) der NSA- 
Arbeitsgruppe zum Thema "US NSA surveillance programme, surveillance bodies in various 
MemberStates and their impact on EU citizens' fundamental rights and ontransatlantic 
cooperation in Justice and Home Affairs". Der Berichtsentwurf stellt das Abschlussdokument 
der NSA-Arbeitsgruppe dar. Diese wurde per Entschließungsantrag am 4. Juli 2013 im Rahmen 
des Ausschusses für Bürgerliche Freiheiten, Justiz und Inneres (LIBE) eingerichtet, um den 
Sachverhalt um die mutmaßliche Internetüberwachung durch die NSA zu untersuchen und dem 
LIBE-Ausschuss seine Erkenntnisse in Form eines Endberichts vorzulegen. Nach 15 Anhórungen 
liegt dieser Bericht nun zur Prüfung vor und kann nun durch Änderungsanträge abgeändert 
werden. 


Frist für Änderungsanträge ist der 22. Januar. Der weitere Zeitplan sieht eine Abstimmung im 
LIBE-Ausschuss im Februar und anschließend eine Abstimmung im Plenum im März vor. 


Mit freundlichen Grüßen 
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Im Auftrag 


Alexandra Kuczynski 


Bundesministerium des Innem 

Persónliche Referentin des 

Pariamentarischen Staatssekretárs Dr. Ole Schröder 
Alt-Moabit 101 D, 10559 Berlin 


Telefon: +49 (0)30 18 681 1056 
Fax: +49 (0)30 18 681 1137 


E-Mail: alexandra.kuczynski@bmi.bund.de 
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MOTION FOR A EUROPEAN PARLIAMENT RESOLUTION 


on the US NSA surveillance programme, surveillance bodies in various Member States and 
their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and 
Home Affairs 

(2013/2188(IND) 


The European Parliament, 


— having regard to the Treaty on European Union (TEU), in particular Articles 2, 3, 4, 5, 
6, 7, 10, 11 and 21 thereof, 


— having regard to the Treaty on the Functioning of the European Union (TFEU), in 
particular Articles 15, 16 and 218 and Title V thereof, 


— having regard to Protocol 36 on transitional provisions and Article 10 thereof and to 
Declaration 50 concerning this protocol, 


- having regard to the Charter on Fundamental Rights ofthe European Union, in 
particular Articles 1, 3, 6, 7, 8, 10, 11, 20, 21, 42, 47, 48 and 52 thereof, 


-— having regard to the European Convention on Human Rights, notably its Articles 6, 8, 
9, 10 and 13, and the protocols thereto, 


_ having regard to the Universal Declaration of Human Rights, notably its Articles 7, 8, 
10,11,12 and 14!, 


- having regard to the International Covenant on Civil and Political Rights, notably its 
Articles 14, 17, 18 and 19, 


— having regard to the Council of Europe Convention on Data Protection (ETS No 108) 
and its Additional Protocol of 8 November 2001 to the Convention for the Protection 
of Individuals with regard to Automatic Processing of Personal Data regarding 
supervisory authorities and transborder data flows (ETS No 181), 


— having regard to the Council of Europe Convention on Cybercrime (ETS No 185), 


— having regard to the Report of the UN Special Rapporteur on the promotion and 
protection of human rights and fundamental freedoms while countering terrorism, 
submitted on 17 May 20107, 


— having regard to the Report of the UN Special Rapporteur on the promotion and 
protection of the right to freedom of opinion and expression, submitted on 17 April 
20137, 


— having regard to the Guidelines on human rights and the fight against terrorism 


l m //www.un.org/en/documents/udhr/ 
E http://daccess-dds-ny.un.org/doc/UNDOC/GEN/G 10/134/10/PDF/G1013410. pdfOpenElement 
z http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40 EN. pdf 
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adopted by the Committee of Ministers ofthe Council of Europe on 11 July 2002, 


- having regard to the Declaration of Brussels of 1 October 2010, adopted at the 6th 
Conference ofthe Parliamentary Committees for the Oversight of Intelligence and 
Security Services ofthe European Union Member States, 


— having regard to Council of Europe Parliamentary Assembly Resolution No 1954 
(2013) on national security and access to information, 


- having regard to the report on the democratic oversight of the rn services 
adopted by the Venice Commission on 11 June 2007, and expecting with great 
interest the update thereof, due in spring 2014, 


— having regard to the testimonies ofthe representatives of the oversight committees on 
intelligence of Belgium, the Netherlands, Denmark and Norway, 


— having regard to the cases lodged before the French?, Polish and British? courts, as 
well as before the European Court of Human Rights‘, in relation to systems of mass 
surveillance, 


— having regard to the Convention established by the Council in accordance with Article 
34 of the Treaty on European Union on Mutual Assistance in Criminal Matters 
between the Member States of the European Union, and in particular to Title II 
thereof, 


— having regard to Commission Decision 520/2000 of 26 July 2000 on the adequacy of 
the protection provided by the Safe Harbour privacy principles and the related 
frequently asked questions (FAQs) issued by the US Department of Commerce, 


_ having regard to the Commission assessment reports on the implementation ofthe 
Safe Harbour privacy principles of 13 February 2002 (SEC(2002)196) and of 
20 October 2004 (SEC(2004)1323), 


— having regard to the Commission Communication of 27 November 2013 
(COM(2013)847) on the functioning of the Safe Harbour from the perspective of EU 
citizens and companies established in the EU and the Commission Communication of 
27 November 2013 on rebuilding trust in EU-US data flows (COM(2013)846), 


— having regard to the European Parliament resolution of 5 July 2000 on the Draft 
Commission Decision on the adequacy of the protection provided by the Safe Harbour 
privacy principles and related frequently asked questions issued by the US Department 
of Commerce, which took the view that the adequacy of the system could not be 


i , http: //wwrw.venice.coe.int/webforms/documents/CDL-AD(2007)016.aspx 

* La Fédération Internationale des Ligues des Droits de l'Homme and La Ligue française pour la défense des 
droits de l'Homme et du Citoyen against X; Tribunal de Grande Instance of Paris. 

* Cases by Privacy International and Liberty in the Investigatory Powers Tribunal. 

* Joint Application Under Article 34 of Big Brother Watch, Open Rights Group, English Pen Dr Constanze Kurz 
(Applicants) - v - United Kingdom (Respondent). 
$ OJ C 197, 12.7.2000, p. 1. 
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confirmed', and to the Opinions ofthe Article 29 Working Party, more particularly 
Opinion 4/2000 of 16 May 2000?, 


_ having regard to the agreements between the United States of America and the 
European Union on the use and transfer of passenger name records (PNR agreement) 
of 2004, 2007 and 20124, 


= having regard to the Joint Review of the implementation of the Agreement between 
the EU and the USA on the processing and transfer of passenger name records to the 
US Department of Homeland Security’, accompanying the report from the 
Commission to the European Parliament and to the Council on the joint review 
(COM(2013)844), 


= having regard to the opinion of Advocate-General Cruz Villalön concluding that 
Directive 2006/24/EC on the retention of data generated or processed in connection 
with the provision of publicly available electronic communications services or of 
public communications networks is as a whole incompatible with Article 52(1) of the 
Charter of Fundamental Rights of the European Union and that Article 6 thereof is 
incompatible with Articles 7 and 52(1) of the Charter‘, 


_ having regard to Council Decision 2010/412/EU of 13 July 2010 on the conclusion of 
the Agreement between the European Union and the United States of America on the 
processing and transfer of Financial Messaging Data from the European Union to the 
United States for the purposes of the Terrorist Finance Tracking Program (TFTP)’ and 
the accompanying declarations by the Commission and the Council, 


_ having regard to the Agreement on mutual legal assistance between the European 
Union and the United States of America’, 


— having regard to the ongoing negotiations on an EU-US framework agreement on the 
protection of personal data when transferred and processed for the purpose of 
preventing, investigating, detecting or prosecuting criminal offences, including 
terrorism, in the framework of police and judicial cooperation in criminal matters (the 
“Umbrella agreement’), 


— having regard to Council Regulation (EC) No 2271/96 of 22 November 1996 
protecting against the effects of the extra-territorial application of legislation adopted 
by a third country, and actions based thereon or resulting therefrom’, 


- having regard to the statement by the President of the Federative Republic of Brazil at 


"OF C 121, 24.4.2001, p. 152. 007 

? http://ec.europa.ew/justice/policies/privacy/docs/wpdocs/2000/wp32en.pdf 

3 OJ L 204, 4.8.2007, p. 18. | 

* OJ L 215, 11.8.2012, p. 5. 

? SEC(2013)630, 27.11.2013. 

* Opinion of Advocate General Cruz Villalón, 12 December 2013, Case C-293/12. 
7 OJL 195, 27.7.2010, p. 3. 

* OJL 181, 19.7.2003, p. 34 

? OJ L 309, 29.11.1996, p.1. 
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the opening of the 68th session ofthe UN General Assembly on 24 September 2013 
and to the work carried out by the Parliamentary Committee of Inquiry on De 
established by the Federal Senate of Brazil, 


— having regard to the US PATRIOT Act signed by President EE W. Bush on 
26 October 2001, 


_ having regard to the Foreign Intelligence Surveillance Act (FISA) of 1978 and the 
FISA Amendments Act of 2008, 


— having regard to Executive Order No 12333, issued by the US President in 1981 and 
amended in 2008, i 


- having regard to legislative proposals currently under examination in the US Congress, 
in particular the draft US Freedom Act, 


= having regard to the reviews conducted by the Privacy and Civil Liberties Oversight 


Board, the US National Security Council and the President’s Review Group on 
Intelligence and Communications Technology, particularly the report by the latter of 
12 December 2013 entitled ‘Liberty and Security in a Changing World’, 


- having regard to the ruling ofthe United States District Court for the District of 
Columbia, Klayman et al. v Obama et al., Civil Action No 13-0851 of 16 December 
2013, 


— having regard to the report on the findings by the EU Co-Chairs ofthe ad hoc EU-US 
Working Group on data protection of 27 November 2013', 


— having regard to its resolutions of 5 September 2001 and 7 November 2002 on the 
existence of a global system for the interception of private and commercial 
communications (ECHELON interception system), 


— having regard to its resolution of 21 May 2013 on the EU Charter: standard settings 
for media freedom across the EU?, 


- having regard to its resolution of 4 July 2013 on the US National Security Agency 
surveillance programme, surveillance bodies in various Member States and their 
impact on EU citizens, whereby it instructed its Committee on Civil Liberties, Justice 
and Home Affairs to conduct an in-depth inquiry into the matter”, 


— having regard to its resolution of 23 October 2013 on organised crime, corruption and 
money laundering: recommendations on action and initiatives to be taken‘, 


E having regard to its resolution of 23 October 2013 on the suspension of the TFTP 


! Council document 16987/13. 
? Texts adopted, P7. TA(2013)0203. 
? Texts adopted, P7 TA-(2013)0322. 
^ Texts adopted, P7 TA(2013)0444. 
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agreement as a result of US National Security Agency surveillance’, 


— having regard to its resolution of 10 December 2013 on unleashing the potential of 
cloud computing?, 


_ having regard to the interinstitutional agreement between the European Parliament and 
the Council concerning the forwarding to and handling by the European Parliament of 
classified information held by the Council on matters other than those in the area of 
the common foreign and security policy’, 


— having regard to Annex VIII of its Rules of Procedure, 
— having regard to Rule 48 of its Rules of Procedure, 


— having regard to the report ofthe Committee on Civil Liberties, Justice and Home 
Affairs (A70000/2013), 


The impact of mass surveillance - 


A. whereas the ties between Europe and the United States of America are based on the 
spirit and principles of democracy, liberty, justice and solidarity; 


B. whereas mutual trust and understanding are key factors in the transatlantic dialogue; 


c. whereas in September 2001 the world entered a new phase which resulted in the fight 
against terrorism being listed among the top priorities of most governments; whereas 
the revelations based on leaked documents from Edward Snowden, former NSA 
contractor, put democratically elected leaders under an obligation to address the 
challenges of the increasing capabilities of intelligence agencies in surveillance 
activities and their implications for the rule of law in a democratic society; 


D. whereas the revelations since June 2013 have caused numerous concerns within the 
EU as to: 


. the extent of the surveillance systems revealed both in the US and in EU 
Member States; 


° the high risk of violation of EU legal standards, fundamental rights and data 
protection standards; 


° the degree of trust between EU and US transatlantic partners; 


i the degree of cooperation and involvement of certain EU Member States with 
US surveillance programmes or equivalent programmes at national level as 
unveiled by the media; l 


. the degree of control and effective oversight by the US political authorities and 
certain EU Member States over their intelligence communities; 


! Texts adopted, P7. TA(2013)0449. 
? Texts adopted, P7. TA(2013)0535. 
7 OJ C 353 E, 3.12.2013, p.156-167. 
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e the possibility of these mass surveillance operations being used for reasons 
other than national security and the strict fight against terrorism, for example 
economic and industrial espionage or profiling on political grounds; 


e the respective roles and degree of involvement of intelligence agencies and 
private IT and telecom companies; 


° the increasingly blurred boundaries between law enforcement and intelligence 
activities, leading to every citizen being treated as a suspect; 


° the threats to privacy in a digital era; 


E. whereas the unprecedented magnitude of the espionage revealed requires full 
investigation by the US authorities, the European Institutions and Members States’ 
governments and national parliaments; 


F. whereas the US authorities have denied some of the information revealed but not 
contested the vast majority of it; whereas the public debate has developed on a large 
scale in the US and in a limited number of EU Member States; whereas EU 
governments too often remain silent and fail to launch adequate investigations; 


G. whereas it is the duty of the European Institutions to ensure that EU law is fully 
implemented for the benefit of European citizens and that the legal force of EU 
Treaties is not undermined by a dismissive acceptance of extraterritorial effects of 
third countries’ standards or actions; 


Developments in the US on reform of intelligence 


H. whereas the District Court for the District of Columbia, in its Decision of 16 
December 2013, has ruled that the bulk collection of metadata by the NSA is in breach 
ofthe Fourth Amendment to the US Constitution’; 


I whereas a Decision of the District Court for the Eastern District of Michigan has ruled 
tbat the Fourth Amendment requires reasonableness in all searches, prior warrants for 
any reasonable search, warrants based upon prior-existing probable cause, as well as 
particularity as to persons, place and things and the interposition of a neutral 
magistrate between Executive branch enforcement officers and citizens’; 


J. whereas in its report of 12 December 2013, the President's Review Group on 
Intelligence and Communication Technology proposes 45 recommendations to the 
President of the US; whereas the recommendations stress the need simultaneously to 
protect national security and personal privacy. and civil liberties; whereas in this regard 
it invites the US Government to end bulk collection of phone records of US persons 
under Section 215 of the Patriot Act as soon as practicable, to undertake a thorough 
review of the NSA and the US intelligence legal framework in order to ensure respect 
for the right to privacy, to end efforts to subvert or make vulnerable commercial 
software (backdoors and malware), to increase the use of encryption, particularly in 


! Klayman et al. v Obama et al., Civil Action No 13-0851, 16 December 2013. 
? ACLU v. NSA No 06-CV-10204, 17 August 2006. 
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the case of data in transit, and not to undermine efforts to create encryption standards, 
to create a Public Interest Advocate to represent privacy and civil liberties before the 
Foreign Intelligence Surveillance Court, to confer on the Privacy and Civil Liberties 
Oversight Board the power to oversee Intelligence Community activities for foreign 
intelligence purposes, and not only for counterterrorism purposes, and to receive 
whistleblowers’ complaints, to use Mutual Legal Assistance Treaties to obtain 
electronic communications, and not to use surveillance to steal industry or trade 
secrets; l 


whereas in respect of intelligence activities about non-US persons under Section 702 
of FISA, the Recommendations to the President of the USA recognise the fundamental 
issue of respect for privacy and human dignity enshrined in Article 12 of the Universal 
Declaration of Human Rights and Article 17 of the International Covenant on Civil 
and Political Rights; whereas they do not recommend granting non-US persons the 


- same rights and protections as US persons; 


Legal framework 


Fundamental rights 


L. 


whereas the report on the findings by the EU Co-Chairs ofthe ad hoc EU-US Working 
Group on data protection provides for an overview of the legal situation in the US but 
has not helped sufficiently with establishing the facts about US surveillance 
programmes; whereas no information has been made available about the so-called 
‘second track’ Working Group, under which Member States discuss bilaterally with 
the US authorities matters related to national security; 


whereas fundamental rights, notably freedom of expression, of the press, of thought, 
of conscience, of religion and of association, private life, data protection, as well as 
the right to an effective remedy, the presumption of innocence and the right to a fair 
trial and non-discrimination, as enshrined in the Charter on Fundamental Rights of the 
European Union and in the European Convention on Human Rights, are cornerstones 
of democracy; 


Union competences in the field of security 


N. 


whereas according to Article 67(3) TFEU the EU 'shall endeavour to ensure a high 
level of security’; whereas the provisions of the Treaty (in particular Article 4(2) TEU, 
Article 72 TFEU and Article 73 TFEU) imply that the EU disposes of certain 
competences on matters relating to the collective security of the Union; whereas the 
EU has exercised competence in matters of internal security by deciding on a number 
of legislative instruments and concluding international agreements (PNR, TFTP) 
aimed at fighting serious crime and terrorism and by setting up an internal security 
strategy and agencies working in this field; 


whereas the concepts of ‘national security’, ‘internal security’, “internal security of the 
EU’ and ‘international security’ overlap; whereas the Vienna Convention on the Law 
of Treaties, the principle of sincere cooperation among EU Member States and the 
human rights law principle of interpreting any exemptions narrowly point towards a 
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restrictive interpretation ofthe notion of ‘national security’ and require that Member 
States refrain from encroaching upon EU competences; 


P. whereas, under the ECHR, Member States’ agencies and even private parties acting in 
the field of national security also have to respect the rights enshrined therein, be they 
of their own citizens or of citizens of other States; whereas this also goes for 
cooperation with other States’ authorities in the field of national security; 


Extra-territoriality 


Q. whereas the extra-territorial application by a third country of its laws, regulations and 
other legislative or executive instruments in situations falling under the jurisdiction of 
the EU or its Member States may impact on the established legal order and the rule of 
law, or even violate international or EU law, including the rights of natural and legal 
persons, taking into account the extent and the declared or actual aim of such an 
application; whereas, in these exceptional circumstances, it is necessary to take action 
at the EU level to ensure that the rule of law, and thérights of natural and legal 
persens are respected within the EU, in particular by removing, neutralising, blocking 
or otherwise countering the effects of the foreign legislation concerned; 


International transfers of data ` 


R. whereas the tránsfer of personal data by EU institutions, bodies, offices or agencies or 
by the Member States to the US for law enforcement purposes in the absence of 
adequate safeguards and protections for the respect of fundamental rights of EU 
citizens, in particular the rights to privacy and the protection of personal data, would 
make that EU institution, body, office or agency or that Member State liable, under 
Article 340 TFEU or the established case law of the CJEU', for breach of EU law — 
which includes any violation of the fundamental rights enshrined in the EU Charter; 


Transfers to the US based on the US Safe Harbour 


S. whereas the US data protection legal framework does not ensure an adequate level of 
protection for EU citizens; 


T. Whereas, in order to enable EU data controllers to transfer personal data to an entity in 
the US, the Commission, in its Decision 520/2000, has declared the adequacy ofthe 
protection provided by the Safe Harbour privacy principles and the related FAQs 
issued by the US Department of Commerce for personal data transferred from the 
Union to organisations established in the United States that have joined the Safe 
Harbour; a : 


U. whereas in its resolution of 5 July 2000 the European Parliament expressed doubts and 
concerns as to the adequacy ofthe Safe Harbour and called on the Commission to 
review the decision in good time in the light of experience and of any legislative 
developments; 





See notably Joined Cases C-6/90 and C-9/90, Francovich and others v. Italy, judgment of 28 May 1991. 
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V. whereas Commission Decision 520/2000 stipulates that the competent authorities in 
Member States may exercise their existing powers to suspend data flows to an 
organisation that has self-certified its adherence to the Safe Harbour principles, in 
order to protect individuals with regard to the processing of their personal data in 
cases where there is a substantial likelihood that the Safe Harbour principles are being 
violated or that the continuing transfer would create an imminent risk of grave harm to 
data subjects; 

W. | whereas Commission Decision 520/2000 also states that when evidence has been 
provided that anybody responsible for ensuring compliance with the principles is not 
effectively fulfilling their role, the Commission must inform the US Department of 
Commerce and, if necessary, present measures with a view to reversing or suspending 
the said Decision or limiting its scope; 


X. whereas in its first two reports on the implementation of the Safe Harbour, of 2002 
and 2004, the Commission identified several deficiencies as regards the proper 
implementation ofthe Safe Harbour and made several recommendations to the US 

, authorities with a view to rectifying them; 


Y. whereas in its third implementation report, of 27 November 2013, nine years after the 
second report and without any ofthe deficiencies recognised in that report having been 
rectified, the Commission identified further wide-ranging weaknesses and 

shortcomings in the Safe Harbour and concluded that the current implementation 
could not be maintained; whereas the Commission has stressed that wide-ranging 
access by US intelligence agencies to data transferred to the US by 
Safe-Harbour-certified entities raises additional serious questions as to the continuity 
of protection ofthe data of EU data subjects; whereas the Commission addressed 13 
recommendations to the US authorities and undertook to identify by summer 2014, 
together with the US authorities, remedies to be implemented as soon as possible, 
forming the basis for a full review of the functioning of the Safe Harbour principles; 


Z. whereas on 28-31 October 2013 the delegation of the European Parliament's 
Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) to 
Washington D.C. met with the US Department of Commerce and the US Federal 
Trade Commission; whereas the Department of Commerce acknowledged the 
existence of organisations having self-certified adherence to Safe Harbour Principles 
but clearly showing a ‘not-current status’, meaning that the company does not fulfil 
Safe Harbour requirements although continuing to receive personal data from the EU; 
whereas the Federal Trade Commission admitted that the Safe Harbour should be 
reviewed in order to improve it, particularly with regard to complaints and alternative 
dispute resolution systems; l 


AA. whereas Safe Harbour Principles may be limited ‘to the extent necessary to meet 
national security, public interest, or law enforcement requirements’; whereas, as an 
exception to a fundamental! right, such an exception must always be interpreted 
restrictively and be limited to what is necessary and proportionate in a democratic 
society, and the law must clearly establish the conditions and safeguards to make this 
limitation legitimate; whereas such an exception should not be used in a way that 
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undermines the protection afforded by EU data protection law and the Safe Harbour 
principles; 


whereas large-scale access by US intelligence agencies has seriously eroded 
transatlantic trust and negatively impacted on the trust for US organisations acting in 
the EU; whereas this is further exacerbated by the lack of judicial and administrative 
redress for EU citizens under US law, particularly in cases of surveillance activities 
for intelligence purposes; - 


Transfers to third countries with the adequacy decision - 


AC. 


whereas according to the information revealed and to the findings of the inquiry 
conducted by the LIBE Committee, the national security agencies of New Zealand and 
Canada have been involved on a large scale in mass surveillance of electronic 
communications and have actively cooperated with the US under the so called ‘Five 
eyes' programme, and may have exchanged with each other personal data of EU 
citizens transferred from the EU; 


whereas Commission Decisions 2013/65! and 2/2002 of 20 December 2001? have 
declared the adequate level of protection ensured by the New Zealand and the 
Canadian Personal Information Protection and Electronic Documents Act; whereas the 
aforementioned revelations also seriously affect trust in the legal systems of these 
countries as regards the continuity of protection afforded to EU citizens; whereas the . 
Commission has not examined this aspect; 


Transfers based on contractual clauses and other instruments 


AE. 


AG. 


whereas Directive 95/46/EC provides that international transfers to a third country 
may also take place by means of specific instruments whereby the controller adduces 
adequate safeguards with respect to the protection of the privacy and fundamental 
rights and freedoms of individuals and as regards the exercise of the corresponding 
rights; 


Whereas such safeguards may in particular result from appropriate contractual clauses; 


whereas Directive 95/46/EC empowers the Commission to decide that specific 
standard contractual clauses offer sufficient safeguards required by the Directive and 
whereas on this basis the Commission has adopted three models of standard 
contractual clauses for transfers to controllers and processors (and sub-processors) in 
third countries; 


whereas the Commission Decisions establishing the standard contractual clauses 
stipulate that the competent authorities in Member States may exercise their existing 
powers to suspend data flows when it is established that the law to which the data 
importer or a sub-processor is subject imposes upon them requirements to derogate 
from the applicable data protection law which go beyond the restrictions necessary in 


! OJL 28, 30.1.2013, p. 12. 
? OJ L 2, 4.1.2002, p. 13. 
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a democratic society as provided for in Article 13 of Directive 95/46/EC, where those 
requirements are likely to have a substantial adverse effect on the guarantees provided 
by the applicable data protection law and the standard contractual clauses, or where 
there is a substantial likeliheod that the standard contractual clauses in the annex are 
not being or will not be complied with and the continuing transfer would create an 
imminent risk of grave harm to the data subjects; 


AI. whereas national data protection authorities have developed binding corporate rules 
(BCRs) in order to facilitate international transfers within a multinational corporation 
With adequate safeguards with respect to the protection of the privacy and fundamental 
rights and freedoms of individuals and as regards the exercise of the corresponding 
rights; whereas before being used, BCRs need to be authorised by the Member States' 
competent authorities after the latter have assessed compliance with Union data 
protection law; 


Transfers based on TFTP and PNR agreements 


AJ. whereas in its resolution of 23 October 2013 the European Parliament expressed 
serious concerns about the revelations concerning the NS A's activities as regards 
direct access to financial payments messages and related data, which would constitute 
a clear breach ofthe Agreement, in particular Article 1 thereof; 


AK. whereas the European Parliament asked the Commission to suspend the Agreement 
and requested that all relevant information and documents be made available 
immediately for Parliament's deliberations; 


AL. whereas following the allegations published by the media, the Commission decided to 
open consultations with the US pursuant to Article 19 of the TFTP Agreement; 
whereas on 27 November 2013 Commissioner Malmstróm informed the LIBE 
Committee that, after meeting US authorities and in view of the replies given by the 
US authorities in their letters and during their meetings, the Commission had decided 
not to pursue the consultations on the grounds that there were no elements showing 
that the US Government has acted in a manner contrary to the provisions of the 
Agreement, and that the US has provided written assurance that no direct data 
collection has taken place contrary to the provisions ofthe TFTP agreement; 


AM. whereas during the LIBE delegation to Washington of 28-31 October 2013 the 
delegation met with the US Department of the Treasury; whereas the US Treasury 
stated that since the entry into force of the TFTP Agreement it had not had access to 
data from SWIFT in the EU except within the framework of the TFTP; whereas the 
US Treasury refused to comment on whether SWIFT data would have been accessed: 
outside TFTP by any other US government body or department or whether the US 
administration was aware of NSA mass surveillance activities; whereas on 
18 December 2013 Mr Glenn Greenwald stated before the LIBE Committee inquiry 
that the NSA and GCHQ had targeted SWIFT networks; 


AN. whereas the Belgian and Dutch Data Protection authorities decided on 13 November 
2013 to conduct a joint investigation into the security of SWIFT's payment networks 
in order to ascertain whether third parties could gain unauthorised or unlawful access 
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to European citizens’ bank data’; 


AO. whereas according to the Joint Review of the EU-US PNR agreement, the United 
States Department of Homeland Security (DHS) made 23 disclosures of PNR data to 
the NSA on a case-by-case basis in support of counterterrorism cases, in a manner 
consistent with the specific terms of the Agreement; 


AP. whereas the Joint Review fails to mention the fact that in the case of processing of 
personal data for intelligence purposes, under US law, non-US citizens do not enjoy 
any judicial or administrative avenue to protect their rights, and constitutional 
protections are only granted to US persons; whereas this lack of judicial or 
administrative rights nullifies the protections for EU citizens laid down in the existing 
PNR agreement; 


Transfers based on the EU-US Mutual Legal Assistance Agreement in criminal matters 


AQ. whereas the EU-US Agreement on mutual legal assistance in criminal matters of 
6 June 2003? entered into force on 1 February 2010 and is intended to facilitate 
cooperation between the EU and US to combat crime in a more effective way, having 
due regard for the rights of individuals and the rule of law; 


Framework agreement on data protection in the field of police and judicial cooperation 
(‘umbrella agreement’) 


AR. whereas the purpose of this general agreement is to establish the legal framework for 
all transfers of personal data between the EU and US for the sole purposes of 
. preventing, investigating, detecting or prosecuting criminal offences, including 
terrorism, in the framework of police and judicial cooperation in criminal matters; 
whereas negotiations were authorised by the Council on 2 December 2010; 


AS. whereas this agreement should provide for clear and precise legally binding 
data-processing principles and should in particular recognise EU citizens' right to 
access, rectification and erasure of their personal data in the US, as well as the right to 
an efficient administrative and judicial redress mechanism for EU citizens and 
independent oversight of the data-processing activities; 


AT. — whereas in its Communication of 27 November 2013 the Commission indicated that 
the ‘umbrella agreement’ should result in a high level of protection for citizens on both 
sides of the Atlantic and should strengthen the trust of Europeans in EU-US data 
exchanges, providing a basis on which to develop EU-US security cooperation and 
partnership further; 


AU. whereas — on the agreement have not progressed because of the US 
Government's persistent position of refusing recognition of effective rights of 
administrative and judicial redress to EU citizens and because of the intention of 
providing broad derogations to the data protection principles contained in the 


! http: /www.privacycommission.be/fr/news/les-instances-europ%C3%A 9ennes~charz%C3%A 9es-de- 


contr%C3%BA4ler-le-respect-de-la-vie-priv4C3%A 9e-examinent-la 
* OJ L 181, 19.7.2003, p. 25 . | 


PE526.085v02-00 14/52 PR\1014703EN.doc 


MAT A BMI-1-11e_12.pdf, Blatt 324 


agreement, such as purpose limitation, data retention or onward transfers either 
domestically or abroad; 


Data Protection Reform 


AV. whereas the EU data protection legal framework is currently being reviewed in order 
to establish a comprehensive, consistent, modern and robust system for all data- 
processing activities in the Union; whereas in January.2012 the Commission presented 
a package of legislative proposals: a General Data Protection Regulation’, which will 
replace Directive 95/46/EC and establish a uniform law throughout the EU, and a 
Directive? which will lay down a harmonised framework for all data processing 
activities by law enforcement authorities for law enforcement purposes and will 
reduce the current divergences among national laws; 


AW. whereas on 21 October 2013 the LIBE Committee adopted its legislative reports on 
the two proposals and a decision on the opening of negotiations with the Council with 
a view to having the legal instruments adopted during this legislative term; 


AX. whereas, although the European Council of 24/25 October 2013 called for the timely 
adoption of a strong EU General Data Protection framework in order to foster the trust 
of citizens and businesses in the digital economy, the Council has been unable to 
arrive at a general approach on the General Data Protection Regulation and the 
Directive’; 


IT security and cloud computing 


AY. whereas the resolution of 10 December* emphasises the economic potential of ‘cloud 
computing’ business for growth and employment; 


AZ. whereas the level of data protection in a cloud computing environment must not be 
inferior to that required in any other data-processing context; whereas Union data 
protection law, since it is technologically neutral, already applies fully to cloud 
computing services operating in the EU; 


BA. whereas mass surveillance activities give intelligence agencies access to personal data 
stored by EU individuals under cloud services agreements with major US cloud 
providers; whereas the US intelligence authorities have accessed personal data stored 
in servers located on EU soil by tapping into the internal networks of Yahoo and 
Google”; whereas such activities constitute a violation of international obligations; 
whereas it is not excluded that information stored in cloud services by Member States’ 
public authorities or undertakings and institutions has also been accessed by 
intelligence authorities; 


Democratic oversight of intelligence services 


! COM(2012) 11, 25.1.2012. 
? COM(2012) 10, 25.1.2012. 


4 http://www.consilium.europa.eu/uedocs/cms data/docs/pressdata/en/ec/139197.pdf 


* AT-0353/2013 PE506.114V2.00. 
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whereas intelligence services perform an important function in protecting democratic 
society against internal and external threats; whereas they are given special powers 
and capabilities to this end; whereas these powers are to be used within the rule of law, 
as otherwise they risk losing legitimacy and eroding the democratic nature of society; 


whereas the high level of secrecy that is intrinsic to the intelligence services in order to 
avoid endangering ongoing operations, revealing modi operandi or putting at risk the 
lives of agents impedes full transparency; public scrutiny and normal democratic or 
judicial examination; | 


Whereas technological developments have led to increased international intelligence 
cooperation, also involving the exchange of personal data, and often blurring the line 
between intelligence and law enforcement activities; 


Whereas most of existing national oversight mechanisms and bodies were set up or 
revamped in the 1990s and have not necessarily been adapted to the rapid 
technological developments over the last decade; 


whereas democratic oversight of intelligence activities is still conducted at national 
level, despite the increase in exchange of information between EU Member States and 
between Member States and third countries; whereas there is an increasing gap 
between the level of international cooperation on the one hand and oversight capacities 
limited to the national level on the other, which results in insufficient and mneiiecuve 
democratic scrutiny; 


Main findings 


l. 


Considers that recent revelations in the press by whistleblowers and journalists, 
together with the expert evidence given during this inquiry, have resulted in 
compelling evidence of the existence of far-reaching, complex and highly 
technologically advanced systems designed by US and some Member States’ 
intelligence services to collect, store and analyse communication and location data and 
metadata of all citizens around the world on an unprecedented scale and in an 
indiscriminate and non-suspicion-based manner; 


Points specifically to US NSA intelligence programmes allowing for the mass 
surveillance of EU citizens through direct access to the central servers of leading US 
internet companies (PRISM programme), the analysis of content and metadata 
(Xkeyscore programme), the circumvention of online encryption (BULLRUN), access 
to computer and telephone networks and access to location data, as well as to systems 
ofthe UK intelligence agency GCHQ such as its upstream surveillance activity 
(Tempora programme) and decryption programme (Edgehill); believes that the 
existence of programmes of a similar nature, even if on a more limited scale, is likely 
in other EU countries such as France (DGSE), Germany (BND) and Sweden (FRA); 


Notes the allegations of *hacking' or tapping into the Belgacom systems by the UK 
intelligence agency GCHQ; reiterates the indication by Belgacom that it could not 
confirm that EU institutions were targeted or affected, and that the malware used was 
extremely complex and required the use of extensive financial and staffing resources 
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for its development and use that would not be available to private entities or hackers; 


4. States that trust has been profoundly shaken: trust between the two transatlantic 
partners, trust among EU Member States, trust between citizens and their 
governments, trust in the respect of the rule of law, and trust in the security of IT 
services; believes that in order to rebuild trust in all these dimensions a comprehensive 
plan is urgently needed; 


5. Notes that several governments claim that these mass surveillance programmes are 
necessary to combat terrorism; wholeheartedly supports the fight against terrorism, but 
strongly believes that it can never in itself be a justification for untargeted, secret and 
sometimes even illegal mass surveillance programmes; expresses concerns, therefore, 
regarding the legality, necessity and proportionality of these programmes; 


6. Considers it very doubtful that data collection of such magnitude is only guided by the 
fight against terrorism, as it involves the collection of all possible data of all citizens; 
e points therefore to the possible existence of other power motives such as political and 
. economic espionage; 


7. Questions the compatibility of some Member States’ massive economic espionage 
activities with the EU internal market and competition law as enshrined in Title I and 
Title VII of the Treaty on the Functioning of the European Union; reaffirms the 
principle of sincere cooperation as enshrined in Article 4 paragraph 3 ofthe Treaty on 
European Union and the principle that the Member States shall ‘refrain from any 
measures which could jeopardise the attainment of the Union’s objectives’; 


8. Notes that international treaties and EU and US legislation, as well as national 
oversight mechanisms, have failed to provide for the necessary checks and balances 
and for democratic accountability; 


9. Condemns in the strongest possible terms the vast, systemic, blanket collection of the - 
personal data of innocent people, often comprising intimate personal information; 
emphasises that the systems of mass, indiscriminate surveillance by intelligence 
services constitute a serious interference with the fundamental rights of citizens; 
stresses that privacy is not a luxury right, but that it is the foundation stone ofa free 
and democratic society; points out, furthermore, that mass surveillance has potentially 
severe effects on the freedom of the press, thought and speech, as well as a significant 
potential for abuse of the information gathered against political adversaries; 
emphasises that these mass surveillance activities appear also to entail illegal actions 
by intelligence services and raise questions regarding the extra-territoriality of national 
laws; a 





10. Sees the surveillance programmes as yet another step towards the establishment of a 
fully fledged preventive state, changing the established paradigm of criminal law in 
democratic societies, promoting instead a mix of law enforcement and intelligence 
activities with blurred legal safeguards, often not in line with democratic checks and 
balances and fundamental rights, especially the presumption of innocence; recalls in 
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that regard the decision of the German Federal Constitutional Court! on the prohibition 
ofthe use of preventive dragnets (“präventive Rasterfahndung’) unless there is proof 
ofa concrete danger to other high-ranking legally protected rights, whereby a general 
threat situation or international tensions do not suffice to justify such measures; 


Is adamant that secret laws, treaties and courts violate the rule of law; points out that 
any judgment of a court or tribunal and any decision of an administrative authority of 
a non-EU state authorising, directly or indirectly, surveillance activities such as those 
examined by this inquiry may not be automatically recognised or enforced, but must 
be submitted individually to the appropriate national procedures on mutual recognition 
and legal assistance, including rules imposed by bilateral agreements; 


Points out that the abovementioned concerns are exacerbated by rapid technological 
and societa] developments; considers that, since internet and mobile devices are 
everywhere in modern daily life (‘ubiquitous computing") and the business model of 
most internet companies is based on the processing of personal data of all kinds that 
puts at risk the integrity ofthe person, the scale of this problem is unprecedented; 


Regards it as a clear finding, as emphasised by the technology experts who testified 
before the inquiry, that at the current stage of technological development there is no 
guarantee, either for EU public institutions or for citizens, that their IT security or 
privacy can be protected from intrusion by well-equipped third countries or EU 
intelligence agencies (‘no 100% IT security’); notes that this alarming situation can 
only be remedied if Europeans are willing to dedicate sufficient resources, both human 
and financial, to preserving Europe's independence and self-reliance; 


Strongly rejects the notion that these issues are purely a matter of national security and 
therefore the sole competence of Member States; recalls a recent ruling of the Court of 
Justice according to which ‘although it is for Member States to take the appropriate 
measures to ensure their internal and external security, the mere fact that a decision 
concerns State security cannot result in European Union law being inapplicable’’; 
recalls further that the protection of the privacy of all EU citizens is at stake, as are the 
security and reliability of all EU communication networks; believes therefore that 
discussion and action at EU level is not only legitimate, but also a matter of EU 
autonomy and sovereignty; 


Commends the current discussions, inquiries and reviews concerning the subject of 
this inquiry in several parts of the world; points to the Global Government 
Surveillance Reform signed up to by the world's leading technology companies, 

which calls for sweeping changes to national surveillance laws, including an 
international ban on bulk collection of data to help preserve the public's trust in the 
internet; notes with great interest the recommendations published recently by the US 
President's Review Group on Intelligence and Communications Technologies; 
strongly urges governments to take these calls and recommendations fully into account 
and to overhaul their national frameworks for the intelligence services in order to 
implement appropriate safeguards and oversight; 


! No 1 BvR 518/02 of 4 April 2006. 
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16. | Commends the institutions and experts who have contributed to this inquiry; deplores 
the fact that several Member States’ authorities have declined to cooperaté with the 
inquiry the European Parliament has been conducting on behalf of citizens; welcomes 
the openness of several Members of Congress and of national parliaments; 


17. Is aware that in such a limited timeframe it has been possible to conduct only a 
preliminary investigation of all the issues at stake since July 2013; recognises both the 
scale of the revelations involved and their ongoing nature; adopts, therefore, a 
forward-planning approach consisting in a set of specific proposals and a mechanism 
for follow-up action in the next parliamentary term, ensuring the findings remain high 
on the EU political agenda; 


18. Intends to request strong political undertakings from the European Commission to be 
designated after the May 2014 elections to implement the proposals and 
recommendations of this Inquiry; expects adequate commitment from the candidates 
in the upcoming parliamentary hearings for the new Commissioners; 


Recommendations 


19. Calls on the US authorities and the EU Member States to prohibit blanket mass ` 
surveillance activities and bulk processing of personal data; 


20. Calls on certain EU Member States, including the UK, Germany, France, Sweden and 
the Netherlands, to revise where necessary their national legislation and practices 
governing the activities of intelligence services so as to ensure that they are in line 
with the standards of the European Convention on Human Rights and comply with 
their fundamental rights obligations as regards data protection, privacy and 
presumption of innocence; in particular, given the extensive media reports referring to 

mass surveillance in the UK, would emphasise that the current legal framework which 
is made up of a ‘complex interaction’ between three separate pieces of legislation — 
the Human Rights Act 1998, the Intelligence Services Act 1994 and the Regulation of 
Investigatory Powers Act 2000 — should be revised; 


21. Calls on the Member States to refrain from accepting data from third states which 
have been collected unlawfully and from allowing surveillance activities on their 
territory by third states’ governments or agencies which are unlawful under national 
law or do not meet the legal safeguards enshrined in international or EU instruments, 
including the protection of Human Rights under the TEU, the ECHR and the EU 
Charter of Fundamental Rights; 


22. Calls on the Member States immediately to fulfil their positive obligation under the 
European Convention on Human Rights to protect their citizens from surveillance 
contrary to its requirements, including when the aim thereof is to safeguard national 
security, undertaken by third states and to ensure that the rule of law is not weakened 
as a result of extraterritorial application of a third country’s law; 


23. Invites the Secretary-General of the Council of Europe to launch the Article 52 


procedure according to which ‘on receipt of a request from the Secretary General of 
the Council of Europe any High Contracting Party shall furnish an explanation of the 
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manner in which its internal law ensures the effective implementation of any ofthe 
provisions of the Convention’; 


Calis on Member States to take appropriate action immediately, including court action, 
against the breach of their sovereignty, and thereby the violation of general public 
international law, perpetrated through the mass surveillance programmes; calls further 
on EU Member States to make use of all available international measures to defend 
EU citizens' fundamental rights, notably by triggering the inter-state complaint 
procedure under Article 41 of the International Covenant on Civil and Political Rights 
(ICCPR); 


Calls on the US to revise its legislation without delay in order to bring it into line with 
international law, to recognise the privacy and other rights of EU citizens, to provide 
for judicial redress for EU citizens and to sign the Additional Protocol allowing for 
complaints by individuals under the ICCPR; 


Strongly opposes any conclusion of an additional protocol or guidance to the Council ` 
of Europe Cybercrime Convention (Budapest Convention) on transborder access to 
stored computer data which could provide for a legitimisation of intelligence services' 
access to data stored in another jurisdiction without its authorisation and without the 
use of existing mutual legal assistance instruments, since this could result in unfettered 
remote access by law enforcement authorities to servers and computers located in 
other jurisdictions and would be in conflict with Council of Europe Convention 108; 


Calls on the Commission to carry out, before July 2014, an assessment of the 
applicability of Regulation EC No 2271/96 to cases of conflict of laws for transfers of 
personal data; 


International transfers of data 


US data protection legal framework and US Safe Harbour 


28. 


29. 


30. 


Notes that the companies identified by media revelations as being involved in the 
large-scale mass surveillance of EU data subjects by US NSA are companies that have 
self-certified their adherence to the Safe Harbour, and that the Safe Harbour is the 
legal instrument used for the transfer of EU personal data to the US (Google, 


. Microsoft, Yahoo!, Facebook, Apple, LinkedIn); expresses its concerns on the fact 


that these organisations admitted that they do not encrypt information and 
communications flowing between their data centres, thereby enabling intelligence © 
services to intercept information’; 


Considers that large-scale access by US intelligence agencies to EU personal data 
processed by Safe Harbour does not per se meet the criteria for derogation under - 
‘national security’; 


Takes the view that, as under the current circumstances the Safe Harbour principles do 
not provide adequate protection for EU citizens, these transfers should be carried out 


! The Washington Post, 31 October 2013. 
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under other instruments, such as contractual clauses or BCRs setting out specific 
safeguards and protections; 


Calls on the Commission to present measures providing for the immediate suspension 
of Commission Decision 520/2000, which declared the adequacy of the Safe Harbour 
privacy principles, and of the related FAQs issued by the US Department of 
Commerce; 


Calls on Member States’ competent authorities, namely the data protection authorities, 
to make use of their existing powers and immediately suspend data flows to any 
organisation that has self-certified its adherence to the US Safe Harbour Principles and 
to require that such data flows are only carried out under other instruments, provided 
they contain the necessary safeguards and protections with respect to the protection of 
the privacy and fundamental rights and freedoms of individuals; 


Calls on the Commission to present by June 2014 a comprehensive assessment of the 
US privacy framework covering commercial, law enforcement and intelligence 
activities in response to the fact that the EU and the US legal systems for protecting 
personal data are drifting apart; - 


Transfers to other third countries with adequacy decision 


34. 


35: 


36. 


37. 


1 


Recalls that Directive 95/46/EC stipulates that transfers of personal data to a third 
country may take place only if, without prejudice to compliance with the national 
provisions adopted pursuant to the other provisions of the Directive, the third country 
in question ensures an adequate level of protection, the purpose of this provision being 
to ensure the continuity of the protection afforded by EU data protection law where 
personal data are transferred outside the EU; 


Recalls that Directive 95/46/EC provides that the adequacy of the level of protection 
afforded by a third country is to be assessed in the light of all the circumstances 


surrounding a data transfer operation or set of data transfer operations; likewise recalls 


that the said Directive also equips the Commission with implementing powers to 
declare that a third country ensures an adequate level of protection in the light of the 
criteria laid down by Directive 95/46/EC; whereas Directive 95/46/EC also empowers 
the Commission to declare that a third country does not ensure an adequate level of 
protection; 


Recalls that in the latter case Member States must take the measures necessary to 
prevent any transfer of data of the same type to the third country in question, and that 
the Commission should enter into negotiations with a view to remedying the situation; 


Calls on the Commission and the Member States to assess without delay whether the 
adequate level of protection of the New Zealand and of the Canadian Personal 
Information Protection and Electronic Documents Act, as declared by Commission 
Decisions 2013/651 and 2/2002 of 20 December 2001, have been affected by the 
involvement of their national intelligence agencies in the mass surveillance of EU 
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citizens and, if necessary, to take appropriate measures to suspend or revers the 
adequacy decisions; expects the Commission to report to the European Parliament on 
its findings on the abovementioned countries by December 2014 at the latest; 


Transfers based on contractual clauses and other instruments 


38. Recalls that national data protection authorities have indicated that neither standard 
contractual clauses nor BCRs were written with situations of access to personal data © 
for mass surveillance purposes in mind, and that such access would not be in line with 
the derogation clauses of the contractual clauses or BCRs which refer to exceptional 
derogations for a legitimate interest in a democratic society and where necessary and 
proportionate; 


39. Calls on the Member States to prohibit or suspend data flows to third countries based 
on the standard contractual clauses, contractual clauses or BCRs authorised by the 
national competent authorities where it is established that the law to which the data 
importer is subject imposes upon him requirements which go beyond the restrictions 
necessary in a democratic society and which are likely to have a substantial adverse 
effect on the guarantees provided by the applicable data protection law and the 
standard contractual clauses, or because continuing transfer would create an imminent 
risk of grave harm to the data subjects; 


40. Calls on the Article 29 Working Party to issue guidelines and recommendations on the 
safeguards and protections that contractual instruments for international transfers of 
EU personal data should contain in order to ensure the protection of the privacy, 
fundamental rights and freedoms of individuals, taking particular account of the 
third-country laws on intelligence and national security and the involvement of the 
companies receiving the data in a third country in mass surveillance activities by a 
third country's intelligence agencies; 


41. — Calls on the Commission to examine the standard contractual clauses it has established 
in order to assess whether they provide the necessary protection as regards access to 
personal data transferred under the clauses for intelligence purposes and, if 
appropriate, to review them; 


Transfers based on the Mutual Legal Assistance Agreement 


42. Calls on the Commission to conduct before the end 2014 an in-depth assessment of the 
existing Mutual Legal Assistance Agreement, pursuant to its Article 17, in order to 
verify its practical implementation and, in particular, whether the US has made 
effective use of it for obtaining information or evidence in the EU and whether the 
Agreement has been circumvented to acquire the information directly in the EU, and 
to assess the impact on the fundamental rights of individuals; such an assessment 
should not only refer to US official statements as a sufficient basis for the analysis but 
be based on specific EU evaluations; this in-depth review should also address the 
consequences of the application of the Union's constitutional architecture to this 
instrument in order to bring it into line with Union law, taking account in particular of 
Protocol 36 and Article 10 thereof and Declaration 50 concerning this protocol; 
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EU mutual assistance in criminal matters 


43. Asks the Council and the Commission to inform Parliament about the actual use by 
Member States of the Convention on Mutual Assistance in Criminal Matters between 
the Member States, in particular Title III on interception of telecommunications; calls 
on the Commission to put forward a proposal, in accordance with Declaration 50, 
concerning Protocol 36, as requested, before the end of 2014 in order to adapt it to the 
Lisbon Treaty framework; 


Transfers based on the TFTP and PNR agreements 


44. Takes the view that the information provided by the European Commission and the 
US Treasury does not clarify whether US intelligence agencies have access to SWIFT 
financial messages in the EU by intercepting SWIFT networks or banks’ operating 
systems or communication networks, alone or in cooperation with EU national 
intelligence agencies and without having recourse to existing bilateral channels for 
mutual legal assistance and judicial cooperation; 


45. Reiterates its resolution of 23 October 2013 and asks the Commission for the 
suspension of the TFTP Agreement; 


46. Calls on the European Commission to react to concerns that three of the major 
computerised reservation systems used by airlines worldwide are based in the US and 
that PNR data are saved in cloud systems operating on US soil under US law, which 
lacks data protection adequacy; 


Framework agreement on data protection in the field of police and judicial cooperation 
(‘Umbrella agreement’) 


47. Considers that a satisfactory solution under the ‘Umbrella agreement’ is a 
pre-condition for the full restoration of trust between the transatlantic partners; 


48. Asks for an immediate resumption of the negotiations with the US on the ‘Umbrella 
Agreement’, which should provide for clear rights for EU citizens and effective and 
enforceable administrative and judicial remedies in the US without any discrimination; 


49. Asks the Commission and the Council not to initiate any new sectorial agreements or 
arrangements for the transfer of personal data for law enforcement purposes as long as 
the ‘Umbrella Agreement’ has not entered into force; 


50. Urges the Commission to report in detail on the various points of the negotiating 
mandate and the latest state of play by April 2014; 


Data protection reform 


5l. Calls on the Council Presidency and the majority of Member States who support a 
high level of data protection to show a sense of leadership and responsibility and 
accelerate their work on the whole Data Protection Package to allow for adoption in 
2014, so that EU citizens will be able to enjoy better protection in the very near future; 
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Stresses that both the Data Protection Regulation and the Data Protection Directive are 
necessary to protect the fundamental rights of individuals and therefore must be 
treated as a package to be adopted simultaneously, in order to ensure that all data- 


processing activities in the EU provide a high level of protection in all circumstances; : 


Cloud computing 


53. 


54. 


55. 


56. 


37. 


Notes that trust in US cloud computing and cloud providers has been negatively 
affected by the abovementioned practices; emphasises, therefore, the development of 
European clouds as an essential element for growth and employment and trust in cloud 
computing services and providers and for ensuring a high level of personal data 
protection; 


Reiterates its serious concerns about the compulsory direct disclosure of EU personal 
data and information processed under cloud agreements to third-country authorities by 
cloud providers subject to third-country laws or using storage servers located in third 


: countries, and about direct remote access to personal data and information processed 


by third-country law enforcement authorities and intelligence services; 


Regrets the fact that such access is.usually attained by means of direct enforcement by 
third-country authorities of their own legal rules, without recourse to international 
instruments established for legal cooperation such as mutual legal assistance (MLA) 
agreements or other forms of judicial cooperation; 


Calls on the Commission and the Member States to speed up the work of establishing 
a European Cloud Partnership; 


Recalls that all companies providing services in the EU must, without exception, 
comply with EU law and are liable for any breaches; 


Transatlantic Trade and Investment Partnership Agreement (TTIP) 


58. 


59. 


Recognises that the EU and the US are pursuing negotiations for a Transatlantic Trade 
and Investment Partnership, which is of major strategic importance for creating further 
economic growth and for the ability of both the EU and the US to set future global 
regulatory standards; 


Strongly emphasises, given the importance of the digital economy in the relationship 
and in the cause of rebuilding EU-US trust, that the European Parliament will only 
consent to the final TTIP agreement provided the agreement fully respects 
fundamental rights recognised by the EU Charter, and that the protection of the 
privacy of individuals in relation to the processing and dissemination of personal data 
must continue to be governed by Article XIV of the GATS; 


: Democratic oversight of intelligence services 


60. Stresses that, despite the fact that oversight of intelligence services’ activities should 
be based on both democratic legitimacy (strong legal framework, ex ante authorisation 
and ex post verification) and an adequate technical capability and expertise, the 
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65. 
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majority of current EU and US oversight bodies dramatically lack both, in particular 
the technical capabilities; 


Invites, as it has done in the case of Echelon, all national parliaments which have not 
yet done so to install meaningful oversight of intelligence activities by 
parliamentarians or expert bodies with legal powers to investigate; calls on national 
parliaments to ensure that such oversight committees/bodies have sufficient resources, 
technical expertise and legal means to be able to effectively control intelligence 
services; 


Calls for the setting up of a high-level group to strengthen cooperation in the field of 
intelligence at EU level, combined with a proper oversight mechanism ensuring both 
democratic legitimacy and adequate technical capacity; stresses that the high-level 
group should cooperate closely with national parliaments in order to propose further 
steps to be taken for increased oversight collaboration in the EU; 


Calls on this high-level group to define minimum European standards or guidelines on ` 


the (ex ante and ex post) oversight of intelligence services on the basis of existing best 
practices and recommendations by international bodies (UN, Council of Europe); 


Calls on the high-level group to set strict limits on the duration of any surveillance _ 
ordered unless its continuation is duly justified by the authorising/oversight authority; 


Calls on the high-level group to develop criteria on enhanced transparency, built on 
the general principle of access to information and the so-called “Tshwane Principles’; 


Intends to organise a conference with national oversight bodies, whether parliamentary 
or independent, by the end of 2014; 


Calls on the Member States to draw on best practices so as to improve access by their 
oversight bodies to information on intelligence activities (including classified 
information and information from other services) and establish the power to conduct 
on-site visits, a robust set of powers of interrogation, adequate resources and technical 
expertise, strict independence vis-a-vis their respective governments, and a reporting 
obligation to their respective parliaments; 


Calls on the Member States to develop cooperation among oversight bodies, in 
particular within the European Network of National Intelligence Reviewers (ENNIR); 


Urges the Commission to present, by September 2014, a proposal for a legal basis for 
the activities of the EU Intelligence Analysis Centre (IntCen), as well as a proper 
oversight mechanism adapted to its activities, including regular reporting to the 
European Parliament; =. 


Calls on the Commission to present, by September 2014, a proposal for an EU security 
clearance procedure for all EU office holders, as the current system, which relies on 
the security clearance undertaken by the Member State of citizenship, provides for 


! The Global Principles on National Security and the Right to Information, June 2013. 
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different requirements and lengths of procedures within national systems, thus leading 
to differing treatment of Members of Parliament and their staff depending on their 
nationality; 


Recalls the provisions of the interinstitutional agreement between the European 
Parliament and the Council concerning the forwarding to and handling by the 
European Parliament of classified information held by the Council on matters other 
than those in the area of the common foreign and security policy that should be used to 
improve oversight at EU level; 


EU agencies 


12... 


73. 


Calls on the Europol Joint Supervisory Body, together with national data protection 
authorities, to conduct a joint inspection before the end of 2014 in order to ascertain 
whether information and personal data shared with Europol has been lawfully acquired 
by national authorities, particularly if the information or data was initially acquired by 
intelligence services in the EU or a third country, and whether appropriate measures 
are in place to prevent the use and further dissemination of such information or data; 


Calls on Europol to ask the competent authorities of the Member States, in.line with 
its competences, to initiate investigations with regard to possible cybercrimes and 
Cyber attacks committed by governments or private actors in the course ofthe 
activities under scrutiny; 


Freedom of expression 


74. 


75. 


76. 


Expresses deep concern about the developing threats to the freedom of the press and 
the chilling effect on journalists of intimidation by state authorities, in particular as 
regards the protection of confidentiality of journalistic sources; reiterates the calls 
expressed in its resolution of 21 May 2013 on ‘the EU Charter: standard settings for 
media freedom across the EU’; 


Considers that the detention of Mr Miranda and the seizure of the material in his 
possession under Schedule 7 of the Terrorism Act 2000 (and also the request to The 
Guardian to destroy or hand over the material) constitutes an interference with the 
right of freedom of expression as recognised by rele 10 of the ECHR and Article 11 
of the EU Charter; 


Calls on the Commission to put forward a proposal for a comprehensive framework 
for the protection of whistleblowers in the EU, with particular attention to the 
specificities of whistleblowing in the field of intelligence, for which provisions 
relating to whistleblowing in the financial field may prove insufficient, and including 
strong guarantees of immunity; 


EU IT security 


71. 


Points out that recent incidents clearly demonstrate the acute vulnerability of the EU, 
and in particular the EU institutions, national governments and parliaments, major 
European companies, European IT infrastructures and networks, to sophisticated 
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attacks using complex software; notes that these attacks require such financial and 
human resources that they are likely to originate from state entities acting on behalf of 
foreign governments or even from certain EU national governments that support them; 
in this context, regards the case of the hacking or tapping of the telecommunications 
company Belgacom as a worrying example of an attack against the EU's IT capacity; 


78. Takes the view that the mass surveillance revelations that have initiated this crisis can 
be used as an opportunity for Europe to take the initiative and build up an autonomous 
IT key-resource capability for the mid term; calls on the Commission and the Member 
States to use public procurement as leverage to support such resource capability in the 
EU by making EU security and privacy standards a key requirement in the public 
procurement of IT goods and services; 


79. — Is highly concerned by indications that foreign intelligence services sought to lower IT 
security standards and to install backdoors in a broad range of IT systems; 


80. — Calls on all the Members States, the Commission, the Council and the European 
Council to address the EU's dangerous lack of autonomy in terms of IT tools, 
companies and providers (hardware, software, services and network), and encryption 
and cryptographic capabilities; 


81. — Calls on the Commission, standardisation bodies and ENISA to develop, by 
September 2014, minimum security and privacy standards and guidelines for IT 
systems, networks and services, including cloud computing services, in order to better - 
protect EU citizens' personal data; believes that such standards should be set in an 
open and democratic process, not driven by a single country, entity or multinational 
company; takes the view that, while legitimate law enforcement and intelligence 
concerns need to be taken into account in order to support the fight against terrorism, 
they should not lead to a general undermining of the dependability of all IT systems; 


82. ^ Points out that both telecom companies and the EU and national telecom regulators 
have clearly neglected the IT security of their users and clients; calls on the 
Commission to make full use of its existing powers under the ePrivacy and 
Telecommunication Framework Directive to strengthen the protection of 
confidentiality of communication by adopting measures to ensure that terminal 
equipment is compatible with the right of users to control and protect their personal 
data, and to ensure a high level of security of telecommunication networks and 
services, including by way of requiring state-of-the-art encryption of communications; 


83. — Supports the EU cyber strategy but considers that it does not cover all possible threats 
and should be extended to cover malicious state behaviours; 


84. — Calls on the Commission, by January 2015 at the latest, to present an Action Plan to 
develop more EU independence in the IT sector, including a more coherent approach 
to boosting European IT technological capabilities (including IT systems, equipment, 
services, cloud computing, encryption and anonymisation) and to the protection of 
critical IT infrastructure (including in terms of ownership and vulnerability); — 


85. Calls on the Commission, in the framework of the next Work Programme of the 
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Horizon 2020 Programme, to assess whether more resources should be directed 
towards boosting European research, development, innovation and training in the field 
of IT technologies, in particular privacy-enhancing technologies and infrastructures, 
cryptology, secure computing, open-source security solutions and the Information 
Society; 


86. Asks the Commission to map out current responsibilities and to review, by June 2014 
at the latest, the need for a broader mandate, better.coordination and/or additional 
resources and technical capabilities for Europol's CyberCrime Centre, ENISA, 
CERT-EU and the EDPS in order to enable them to be more effective in investigating 
major IT breaches in the EU and in performing (or assisting Member States and EU 
bodies to perform) on-site technical investigations regarding major IT breaches; 


87. | Deems it necessary for the EU to be supported by an EU IT Academy that brings 
together the best European experts in all related fields, tasked with providing all 
relevant EU Institutions and bodies with scientific advice on IT technologies, 

® including security-related strategies; as a first Sr asks the Commission to set up an 
independent scientific expert panel; 


88. Calls on the European Parliament's Secretariat to carry out, by September 2014 at the 
latest, a thorough review and assessment of the European Parliament's IT security 
dependability focused on: budgetary means, staff resources, technical capabilities, 
internal organisation and all relevant elements, in order to achieve a high level of 
security for the EP's IT systems; believes that such an assessment should at the least 
provide information analysis and recommendations on: 


e the need for regular, rigorous, independent security audits and penetration tests, 
with the selection of outside security experts ensuring transparency and 
guarantees of their credentials vis-à-vis third countries or any types of vested 
interest; 


. the inclusion in tender procedures for new IT systems of specific IT 
security/privacy requirements, including the possibility of a requirement for 
Open Source Software as a condition of purchase; 


° the list of US companies under contract with the European Parliament in the IT 
and telecom fields, taking into account revelations about NSA contracts with a 
company such as RSA, whose products the European Parliament is using to 
supposedly protect remote access to their data by its Members and staff: 


° the reliability and resilience of third-party commercial software used by the EU 
institutions in their IT systems with regard to penetrations and intrusions by EU 
or third-country law enforcement and intelligence authorities; 


. the use of more open-source systems and fewer off-the-shelf commercial 
systems; 
e the impact of the increased use of mobile tools (smartphones, tablets, whether 


professional or personal) and its effects on the IT security of the system; 
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. the security of the communications between different workplaces of the 
European Parliament and of the IT systems used at the European Parliament; 


° the use and location of servers and IT centres for the EP’s IT systems and the 
implications for the security and integrity ofthe systems; 


. the implementation in reality ofthe existing rules on security breaches and 
prompt notification ofthe competent authorities by the providers of publicly 
available telecommunication networks; 


. the use of cloud storage by the EP, including what kind of data is stored on the 
cloud, how the content and access to it is protected and where the cloud is 
located, clarifying the applicable data protection legal regime; 


° a plan allowing for the use of more cryptographic technologies, in particular 
end-to-end authenticated encryption for all IT and communications services 
such as cloud computing, email, instant messaging and telephony; 


. the use of electronic signature in email; 

E an analysis ofthe benefits of using the GNU Privacy Guard as a default 
encryption standard for emails which would at the same time allow for the use 
of digital signatures; 

. the possibility of setting up a secure Instant Messaging service within the 


European Parliament allowing secure communication, with the server only 
seeing encrypted content; 


89. Calls on all the EU Institutions and agencies to perform a similar exercise, by 
December 2014 at the latest, in particular the European Council, the Council, the 
External Action Service (including EU delegations), the Commission, the Court of 
Justice and the European Central Bank; invites the Member States to conduct similar 
assessments; 


90. Stresses that as far as the external action of the EU is concerned, assessments of 
related budgetary needs should be carried out and first measures taken without delay 
in the case of the European External Action Service (EEAS) and that appropriate 
funds need to be allocated in the 2015 Draft Budget; 


91. Takes the view that the large-scale IT systems used in the area of freedom, security 
and justice, such as the Schengen Information System II, the Visa Information System, 
Eurodac and possible future systems, should be developed and operated in such a way 
as to ensure that data is not compromised as a result of US requests under the Patriot 
Act; asks eu-LISA to report back to Parliament on the reliability of the systems in 
place by the end of 2014; 


92. Calls on the Commission and the EEAS to take action at the international level, with 
the UN in particular, and in cooperation with interested partners (such as Brazil), and 
to implement an EU strategy for democratic governance of the internet in order to 
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prevent undue influence over ICANN’s and IANA’s activities by any individual 
entity, company or country by ensuring appropriate representation ofall interested 
parties in these bodies; 


93. Calls for the overall architecture of the internet in terms of data flows and storage to 
be reconsidered, striving for more data minimisation and transparency and less 
centralised mass storage of raw data, as well as avoiding unnecessary routing of traffic 
through the territory of countries that do not meet basic standards on fundamental 
rights, data protection and privacy; 


94. Calls on the Member States, in cooperation with ENISA, Europol’s CyberCrime 
Centre, CERTs and national data protection authorities and cybercrime units, to start 
an education and awareness-raising campaign in order to enable citizens to make a 
more informed choice regarding what personal data to put on line and how better to 
protect them, including through ‘digital hygiene’, encryption and safe cloud 
computing, making full use ofthe public interest information platform provided for in 
the Universal Service Directive; 


95. Calls on the Commission, by September 2014, to evaluate the possibilities of 
encouraging software and hardware manufacturers to introduce more security and 
privacy through default features in their products, including the possibility of 
introducing legal liability on the part of manufacturers for unpatched known 
vulnerabilities or the installation of secret backdoors, and disincentives for the undue 
and disproportionate collection of mass personal data, and if appropriate to come 
forward with legislative proposals; 


Rebuilding trust 


96. Believes that the inquiry has shown the need for the US to restore trust with its 
partners, as US intelligence agencies' activities are primarily at stake; 


97. | Points out that the crisis of confidence generated extends to: 


— the spirit of cooperation within the EU, as some national intelligence activities 
may jeopardise the attainment of the Union's objectives; 


- citizens, who realise that not only third countries or multinational companies, 
but also their own government, may be spying on them; 


_ respect for the rule of law and the credibility of democratic safeguards in a 
digital society; l 


Between the EU and the US 
98. Recalls the important historical and strategic partnership between the EU Member 
States and the US, based on a common belief in democracy, the rule of law and 


fundamental rights; 


99. Believes that the mass surveillance of citizens and the spying on political leaders by 
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the US have caused serious damage to relations between the EU and the US and 
negatively impacted on trust in US organisations acting in the EU; this is further 
exacerbated by the lack of judicial and administrative remedies for redress under US 
law for EU citizens, particularly in cases of surveillance activities for intelligence 
purposes; 


100. Recognises, in light ofthe global challenges facing the EU and the US, that the 
transatlantic partnership needs to be further strengthened, and that it is vital that 
transatlantic cooperation in counter-terrorism continues; insists, however, that clear 
measures need to be taken by the US to re-establish trust and re-emphasise the shared 
basic values underlying the partnership; - 


101. Is ready actively to engage in a dialogue with US counterparts so that, in the ongoing 
American public and congressional debate on reforming surveillance and reviewing 
intelligence oversight, the privacy rights of EU citizens are addressed, equal 
information rights and privacy protection in US courts guaranteed and the current 
discrimination not perpetuated; 


102. Insists that necessary reforms be undertaken and effective guarantees given to 
Europeans to ensure that the use of surveillance and data processing for foreign 
intelligence purposes is limited by clearly specified conditions and related to 
reasonable suspicion or probable cause of terrorist or criminal activity; stresses that 
this purpose must be subject to transparent judicial oversight; 


103. Considers that clear political signals are needed from our American partners to 
demonstrate that the US distinguishes between allies and adversaries; 


104. Urges the EU Commission and the US Administration to address, in the context of the 
ongoing negotiations on an EU-US umbrella agreement on data transfer for law 
enforcement purposes, the information and judicial redress rights of EU citizens, and : 
to conclude these negotiations, in line with the commitment made at the EU-US 
Justice and Home Affairs Ministerial Meeting of 18 November 2013, before summer 
2014; 


105. Encourages the US to accede to the Council of Europe's Convention for the Protection 
of Individuals with regard to Automatic Processing of Personal Data (Convention 
108), as it acceded to the 2001 Convention on Cybercrime, thus strengthening the 
shared legal basis among the transatlantic allies; 


106. Calls on the EU institutions to explore the possibilities for establishing with the US a 
code of conduct which would guarantee that no o US: espionage is pursued against EU 
institutions and facilities; l 


Within the European Union 


107. Also believes that that the involvement and activities of EU Members States has led to 
a loss of trust; is of the opinion that only full clarity as to purposes and means of 
surveillance, public debate and, ultimately, revision of legislation, including a 
strengthening of the system of judicial and parliamentary oversight, will be able to 
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re-establish the trust lost; 


Is aware that some EU Member States are pursuing bilateral communication with the 
US authorities on spying allegations, and that some ofthem have concluded (United 
Kingdom) or envisage concluding (Germany, France) so-called ‘anti-spying’ 
arrangements; underlines that these Member States need to observe fully the interests 
of the EU as a whole; 


pom such arrangements should not breach European Treaties, especially the 


principle of sincere cooperation (under Article 4 paragraph 3 TEU), or undermine EU 
policies in general and, more specifically, the internal market, fair competition and 
economic, industria] and social development; reserves its right to activate Treaty 
procedures in the event of such arrangements being proved to contradict the Union's 
cohesion or the fundamental principles on which it is based; 


Internationally 


110. 


LIE 


112. 


Calls on the Commission to present, in January 2015 at the. latest, an EU strategy for . 
democratic governance of the internet; 


Calls on the Member States to follow the call of the 35th International Conference of 
Data Protection and Privacy Commissioners ‘to advocate the adoption of an additional 
protocol to Article17 of the International Covenant on Civil and Political Rights 
(ICCPR), which should be based on the standards that have been developed and 
endorsed by the International Conference and the provisions in General Comment No 
16 to the Covenant in order to create globally applicable standards for data protection 
and the protection of privacy in accordance with the rule of law’; asks the High 
Representative/V ice-President of the Commission and the External Action Service to 
take a proactive stance; 


Calls on the Member States to develop a coherent and strong strategy within the 
United Nations, supporting in particular the resolution on ‘The right to privacy in the 
digital age" initiated by Brazil and Germany, as adopted by the third UN General 
Assembly Committee (Human Rights Committee) on 27 November 2013; 


Priority Plan: A European Digital Habeas Corpus 


113.  Decides to submit to EU citizens, Institutions and Member States the abovementioned 
recommendations as a Priority Plan for the next legislature, —— 
114. Decides to launch A European Digital Habeas Corpus for protecting privacy based on 
the following 7 actions with a European Parliament watchdog: 
Action 1: Adopt the Data Protection Package in 2014; 
Action 2: Conclude the EU-US Umbrella Agreement ensuring proper redress 
mechanisms for EU citizens in the event of data transfers from the EU to the US for 
law-enforcement purposes; 
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Action 3: Suspend Safe Harbour until a full review has been conducted and current 
loopholes are remedied, making sure that transfers of personal data for commercial 
purposes from the Union to the US can only take place in compliance with highest 

EU standards; i 


Action 4: Suspend the TFTP agreement until (i) the Umbrella Agreement 
negotiations have been concluded; (ii) a thorough investigation has been concluded 
on the basis of an EU analysis, and all concerns raised by Parliament in its 
resolution of 23 October have been properly addressed; 


Action 5: Protect the rule of law and the fundamental rights of EU citizens, with a 
particular focus on threats to the freedom of the press and professional 
confidentiality (including lawyer-client relations) as well as enhanced protection for 
whistleblowers; 


-~ Action 6: Develop a European strategy for IT independence (at national and EU 
level); 


Action 7: Develop the EU as a reference player for a democratic and neutral 
governance ofthe internet; 


115. Calls on the EU Institutions and the Member States to support and promote the 
European Digital Habeas Corpus; undertakes to act as the EU citizens' rights 
watchdog, with the following timetable to monitor implementation: 


© April-July 2014: a monitoring group based on the LIBE inquiry team 
responsible for monitoring any new revelations in the media concerning the 
inquiry's mandate and scrutinising the implementation of this resolution; 


e July 2014 onwards: a standing oversight mechanism for data transfers and 
judicial remedies within the competent committee; 


e Spring 2014: a formal call on the European Council to include the European 
Digital Habeas Corpus in the guidelines to be adopted under Article 68 TFEU; 


e Autumn 2014: a commitment that the European Digital Habeas Corpus and 
related recommendations will serve as key criteria for the approval of the next 
. Commission; 


e 2014-2015: a Trust/Data/Citizens’ Rights group to be convened on a regular 
basis between the European Parliament and.the US Congress, as well as with 
other committed third-country parliaments, including Brazil; 


e 2014-2015: a conference with the intelligence oversight bodies of European 
national parliaments; 


e 2015: a conference bringing together high-level European experts in the 


various fields conducive to IT security (including mathematics, cryptography 
and privacy-enhancing technologies) to help foster an EU IT strategy for the 
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next legislature; 


116. Instructs its President to forward this resolution to the European Council, the Council, 
the Commission, the parliaments and governments of the Member States, national data 
protection authorities, the EDPS, eu-LISA, ENISA, the Fundamental Rights Agency, 
the Article 29 Working Party, the Council of Europe, the Congress of the United 
States of America, the US Administration, the President, the Government and the 
Parliament of the Federative Republic of Brazil, and the United Nations 
Secretary-General. 
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EXPLANATORY STATEMENT 


‘The office of the sovereign, be it a monarch or an assembly, consisteth in the end, 
for which he was trusted with the sovereign power, 

namely the procuration of the safety of people’ 

Hobbes, Leviathan (chapter XXX) 


‘We cannot commend our society to others by departing 
from the fundamental standards which 

make it worthy of commendation' 

Lord Bingham of Cornhill, 

Former Lord Chief Justice of England and Wales 


Methodology 


From July 2013, the LIBE Committee of Inquiry was responsible for the extremely 
challenging task of.fulfilling the mandate! of the Plenary on the investigation into the 
electronic mass surveillance of EU citizens in a very short timeframe, less than 6 months. 


During that period it held over 15 hearings covering each of the specific cluster issues 


prescribed in the 4 July resolution, drawing on the submissions of both EU and US experts 
representing a wide range of knowledge and backgrounds: EU institutions, national. 


parliaments, US congress, academics, journalists, civil society, security and technology 


specialists and private business. In addition, a delegation of the LIBE Committee visited: 


Washington on 28-30 October 2013 to meet with representatives of both the executive and the 
legislative branch (academics, lawyers, security experts, business representatives). A 
delegation of the Committee on Foreign Affairs (AFET) was also in town at the same time. A 
few meetings were held together. 


A series of working documents! have been co-authored by the rapporteur, the shadow- 
rapporteurs* from the various political groups and 3 Members from the AFET Committee? 
enabling a presentation of the main findings of the Inquiry. The rapporteur would like to 
thank all shadow rapporteurs and AFET Members for their close cooperation and high-level 
commitment throughout this demanding process. 


Scale of the problem 


An increasing focus on security combined with developments in technology has enabled 
States to know more about citizens than ever before. By being able to collect data 


" http//www.europarl.europa.eu/meetdocs/2009 2014/documents/ta/04/07/20139620-96200322/p7 ta- 
provi 2013)0322 en.pdf 
S 


ee Washington delegation report. 
? See Annex I. 
^ List of shadow rapporteurs: Axel Voss (EPP), Sophia in't Veld (ALDE), Jan Philipp Albrecht 
(GREENS/ALE), Timothy Kirkhope (EFD), Cornelia Ernst (GUE). 
? List of AFET Members: José Ignacio Salafranca Sánchez-Neyra (EPP), Ana Gomes (S&D), Annemie Neyts- 
Uyttebroeck (ALDE). 
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regarding the content of communications, as well as metadata, and by following citizens’ 
electronic activities, in particular their use of smartphones and tablet computers, intelligence 
services are de facto able to know almost everything about a person. This has contributed to 
a fundamental shift in the work and practices of intelligence agencies, away from the 
traditional concept of targeted surveillänce as a necessary and proportional counter- 
terrorism measure, towards systems of mass surveillance. 


This process of increasing mass surveillance has not been subject to any prior public 
debate or democratic decision-making. Discussion is needed on the purpose and scale of 
surveillance and its place in a democratic society. Is the situation created by Edward 
Snowden’s revelations an indication of a general societal turn towards the acceptance of 
the death of privacy in return for security? Do we face a breach of privacy and intimacy so 
great that it is possible not only for criminals but for IT companies and intelligence agencies 
to know every detail of the life of a citizen? Is it a fact to be accepted without further 
discussion? Or is the responsibility ofthe legislator to adapt the policy and legal tools at hand 
to limit the risks and prevent further damages in case less democratic forces would come to 
power? : 


Reactions to mass surveillance and a public debate 


The debate on mass surveillance does not take place in an even manner inside the EU. In fact 
in many Member States there is hardly any public debate and media attention varies. Germany 
seems to be the country where reactions to the revelations have been strongest and public 
discussions as to their consequences have been widespread. In the United Kingdom and 
France, in spite of investigations by The Guardian and Le Monde, reactions seem more 
limited, a fact that has been linked to the alleged involvement of their national intelligence 
services in activities with the NSA. The LIBE Committee Inquiry has been in a position to 
hear valuable contributions from the parliamentary oversight bodies of Belgian, the 
Netherlands, Denmark and even Norway; however the British and French Parliament have 
declined participation. These differences show again the uneven degree of checks and 
balances within the EU on these issues and that more cooperation is needed between 
parliamentary bodies in charge of oversight. 


Following the disclosures of Edward Snowden in the mass media, public debate has been 
based on two main types of reactions. On the one hand, there are those who deny the 
legitimacy of the information published on the grounds that most of the media reports are 
based on misinterpretation; in addition many argue, while not having refuted the disclosures, 
the validity of the disclosures made due to allegations of security risks they cause for national 
security and the fight against terrorism. 


On the other hand, there are those who consider the information provided requires an 
informed, public debate because of the magnitude of the problems it raises to issues key to a 
democracy including: the rule of law, fundamental rights, citizens’ privacy, public 
accountability of law-enforcement and intelligence services, etc. This is certainly the case for 
the journalists and editors ofthe world's biggest press outlets who are privy to the disclosures 
including The Guardian, Le Monde, Der Spiegel, The Washington Post and Glenn 
Greenwald. 


The two types of reactions outlined above are based on a set of reasons which, if followed, 
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may lead to quite opposed decisions as to how the EU should or should not react. 


5 reasons not to act 


— : The 'Intelligence/national security argument’: no EU competence 


‘Edward Snowden's revelations relate to US and some Member States’ intelligence 
activities, but national security is a national competence, the EU has no competence in 
such matters (except on EU internal security) and therefore no action is possible at EU 
level. 


— The 'Terrorism argument': danger of the whistleblower 


Any follow up to these revelations, or their mere consideration, further weakens the 
security ofthe US as well as the EU as it does not condemn the publication of documents 
the content of which even if redacted as involved media players explain may give valuable 
information to terrorist groups. 


— The ‘Treason argument: no legitimacy for the whistleblower 


As mainly put forward by some in the US and in the United Kingdom, any debate 
- launched or action envisaged further to E. Snowden’s revelations is intrinsically biased 
and irrelevant as they would be based on an initial act of treason. 


— The 'realism argument’: general strategic interests 


Even if some mistakes and illegal activities were to be confirmed, they should be balanced 
against the need to maintain the special relationship between the US and Europe to 
preserve shared economic, business and foreign policy interests. 


— The ‘Good government argument’: trust your government 


US and EU Governments are democratically elected. In the field of security, and even 
when intelligence activities are conducted in order to fight against terrorism, they comply 
with democratic standards as a matter of principle. This *presumption of good and lawful 
governance’ rests not only on the goodwill of the holders of the executive powers in these 
states but also on the checks and balances mechanism enshrined in their constitutional 
systems. 


Ás one can see reasons not to act are numerous and powerful. This may explain why most EU 
governments, after some initial strong reactions, have preferred not to act. The main action by 
the Council of Ministers has been to set up a 'transatlantic group of experts on data 
protection' which has met 3 times and put forward a final report. A second group is supposed 
to have met on intelligence related issues between US authorities and Member States’ ones 
but no information is available. The European Council has addressed the surveillance problem 
in a mere statement of Heads of state or government!, Up until now only a few national 


! European Council Conclusions of 24-25 October 2013, in particular: “The Heads of State or Government took 
note of the intention of France and Germany to seek bilateral talks with the USA with the aim of finding before 
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parliaments have launched inquiries. 
5 reasons to act 
_ The 'mass surveillance argument’: in which society do we want to live? 


Since the very first disclosure in June 2013, consistent references have been made to 
George's Orwell novel ‘1984’. Since 9/11 attacks, a focus on security and a shift towards 
targeted and specific surveillance has seriously damaged and undermined the concept of 
privacy. The history of both Europe and the US shows us the dangers of mass surveillance 
and the graduation towards societies without privacy. 


— The ‘fundamental rights argument’: 


Mass and indiscriminate surveillance threaten citizens’ fundamental rights including right 
to privacy, data protection, freedom of press, fair trial which are all enshrined in the EU 
Treaties, the Charter of fundamental rights and the ECHR. These rights cannot be 
circumvented nor be negotiated against any benefit expected in exchange unless duly 
provided for in legal instruments and in full compliance with the treaties. 


— The ‘EU internal security argument’: 


National competence on intelligence and national security matters does not exclude a 
parallel EU competence. The EU has exercised the competences conferred upon it by the 
EU Treaties in matters of internal security by deciding on a number of legislative 
instruments and international agreements aimed at fighting serious crime and terrorism, on 
setting-up an internal security strategy and agencies working in this field. In addition, 
other services have been developed reflecting the need for increased cooperation at EU 
level on intelligence-related matters: INTCEN (placed within EEAS) and the Anti- 
terrorism Coordinator (placed within the Council general secretariat), neither ofthem with 
a legal basis. 


- The 'deficient oversight argument’ 


While intelligence services perform an indispensable function in protecting against 
internal and external threats, they have to operate within the rule of law and to do so must 
be subject to a stringent and thorough oversight mechanism. The democratic oversight of 
intelligence activities is conducted at national level but due to the international nature of 
security threats there is now a huge exchange of information between Member States and 
with third countries like the US; improvements in oversight mechanisms are needed both at 
national and at EU level if traditional oversight mechanisms are not to become ineffective 


and outdated. — 
_ The 'chilling effect on media’ and the protection of whistleblowers 


The disclosures of Edward Snowden and the subsequent media reports have highlighted the 





the end of the year an understanding on mutual relations in that field. They noted that other EU countries are 
welcome to join this initiative. They also pointed to the existing Working Group between the EU and the USA 


on the related issue of data protection and called for rapid and constructive progress in that respect'. 
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pivotal role of the media in a democracy to ensure accountability of Governments. When 
supervisory mechanisms fail to prevent or rectify mass surveillance, the role of media and 
whistleblowers in unveiling eventual illegalities or misuses of power is extremely important. 
Reactions from the US and UK authorities to the media have shown the vulnerability of both 
the press and whistleblowers and the urgent need to do more to protect them. __ 


The European Union is called on to choose between a ‘business as usual’ policy (sufficient 
reasons not to act, wait and see) and a ‘reality check’ policy (surveillance is not new, but there 
is enough evidence of an unprecedented magnitude of the scope and capacities of intelligence 
agencies requiring the EU to act). 


‘Habeas Corpus in a Surveillance Society 


In 1679 the British parliament adopted the Habeas Corpus Act as a major step forward in 
securing the right to a judge in times of rival jurisdictions and conflicts of laws. Nowadays 


our democracies ensure proper rights for a convicted or detainee who is in person physically — 


subject to a criminal proceeding or deferred to a court. But his or her data, as posted, 
processed, stored and tracked on digital networks form a ‘body of personal data’, a kind of 
digital body specific to every individual and enabling to reveal much of his or her identity, 
habits and preferences of all types. 


Habeas Corpus is recognised as a fundamental legal instrument to safeguarding individual 
freedom against arbitrary state action. What is needed today is an extension of Habeas Corpus 
to the digital era. Right to privacy, respect of the integrity and the dignity ofthe individual are 
at stake. Mass collections of data with no respect for EU data protection rules and specific 
violations of the proportionality principle in the data management run counter to the 
constitutional traditions of the Member States and the fundaments of the European 
constitutional order. 


The main novelty today is these risks do not only originate in criminal activities (against 
which the EU legislator has adopted a series of instruments) or from possible cyber-attacks 
from governments of countries with a lower democratic record. There is a realisation that such 
risks may also come from law-enforcement and intelligence services of democratic countries 
putting EU citizens or companies under conflicts of laws resulting in a lesser legal certainty, 
with possible violations of rights without proper redress mechanisms. 


Governance of networks is needed to ensure the safety of personal data. Before modern states 
developed, no safety on roads or city streets could be guaranteed and physical integrity was at 
risk. Nowadays, despite dominating everyday life, information highways are not secure. 
Integrity of digital data must be secured, against criminals of course but also against possible 
abuse of power by state authorities or contractors and private companies under secret judicial 
warrants. f 


LIBE Committee Inquiry Recommendations 


Many of the problems raised today are extremely similar to those revealed by the European 
Parliament Inquiry on the Echelon programme in 2001. The impossibility for the previous 
legislature to follow up on the findings and recommendations of the Echelon Inquiry should 
serve as a key lesson to this Inquiry. It is for this reason that this Resolution, recognising both 
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the magnitude of the revelations involved and their ongoing nature, is forward planning and 
ensures that there are specific proposals on the table for follow up action in the next 
Parliamentary mandate ensuring the findings remain high on the EU political agenda. 


Based on this assessment, the rapporteur would like to submit to the vote ofthe Parliament the 
following measures: 


A European Digital Habeas corpus for protecting privacy based on 7 actions: 
Action 1: Adopt the Data Protection Package in 2014; 


Action 2: Conclude the EU-US Umbrella agreement ensuring proper redress 
mechanisms for EU citizens in case of data transfers from the EU to the US for law- 
enforcement purposes; 


Action 3: Suspend Safe Harbour until a full review is conducted and current 
loopholes are remedied making sure that transfers of personal data for commercial 
purposes from the Union to the US can only take place in compliance with EU 
highest standards; 


Action 4: Suspend the TFTP agreement until i) the Umbrella agreement 
negotiations have been concluded; ii) a thorough investigation has been concluded 
based on EU analysis and all concerns raised by the Parliament in its resolution of 
23 October have been properly addressed; 


Action 5: Protect the rule of law and the fundamental rights of EU citizens, with a 
particular focus on threats to the freedom of the press and professional 
confidentiality (including lawyer-client relations) as well as enhanced protection for 
whistleblowers; 


Action 6: Develop a European strategy for IT independence (at national and EU 
level); 


Action 7: Develop the EU as a reference player for a democratic and neutral 
governance of Internet; 


After the conclusion of the Inquiry the European Parliament should continue acting as EU 
citizens' rights watchdog with the following timetable to monitor implementations: 


e April-July 2014: a monitoring group based on the LIBE Inquiry team 
responsible for monitoring any new revelations in the media concerning the 
Inquiries mandate and scrutinising the implementation of this resolution; 


e July 2014 onwards: a standing oversight mechanism for data transfers and 
judicial remedies within the competent committee; 


e Spring 2014: a formal call on the European Council to include the European 
Digital Habeas Corpus in the guidelines to be adopted under Article 68 TFEU; 
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e Autumn 2014: a commitment that the European Digital Habeas Corpus and 
related recommendations will serve as key criteria for the approval ofthe next 
Commission; 


e 2014-2015: a Trust/Data/Citizens’ rights group to be convened on a regular 
basis between the European Parliament and the US Congress as well as with 
other committed third-country parliaments including Brazil; 


e 2014-2015: a conference with European intelligence oversight bodies of 
European national parliaments; 


e 2015: a conference gathering high-level European experts in the various fields 
conducive to IT security (including mathematics, cryptography, privacy 


enhancing technologies, ...) to help foster an EU IT strategy for the next 
legislature; 
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ANNEX I: LIST OF WORKING DOCUMENTS 


` LIBE Committee Inquiry 


US and EU Member Surveillance programmes and 16 (a) (b) (c) (d) 
their impact on EU citizens fundamental rights | 


US surveillance activities with respect to EU data and 16 (a) (b) (c) 
its possible legal implications on transatlantic 
agreements and cooperation 


Mrs. In’t Veid | Democratic oversight of Member State intelligence 15, 16 (a) (c) (e) 


services and of EU intelligence bodies. 
(ALDE) 


& Mrs. Ernst 


Mr Albrecht The relation between the surveillance practices in the 16 (c) (e) (f) 
EU and the US and the EU data protection provisions 
(GREENS/EF 


Scope of International, European and national security 16 (a) (b) 
in the EU perspective 

Foreign Policy Aspects of the Inquiry on Electronic 16 (a) (b) (f) 
Mass Surveillance of EU Citizens 
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ANNEX Il: LIST OF HEARINGS AND EXPERTS 


LIBE COMMITTEE INQUIRY 
ON US NSA SURVEILLANCE PROGRAMME, 
SURVEILLANCE BODIES IN VARIOUS MEMBER STATES 
AND THEIR IMPACT ON EU CITIZENS' FUNDAMENTAL RIGHTS AND ON 
TRANSATLANTIG. COOPERATION IN JUSTICE AND HOME AFFAIRS 


Following the European Parliament resolution of 4th July 2013 (para. 16), the LIBE 
Committee has held a series of hearings to gather information relating the different aspects at 
stake, assess the impact of the surveillance activities covered, notably on fundamental rights 
and data protection rules, explore redress mechanisms and put forward recommendations to 
protect EU citizens" rights, as well as to strengthen IT security of EU Institutions. 









e Jacques FOLLOROU, Le 
Monde 

e Jacob APPELBAUM, 
investigative journalist, 
software developer and 
computer security researcher 
with the Tor Project 

e Alan RUSBRIDGER, Editor- 

in-Chief of Guardian News 

and Media (via 

videoconference) 






















5" September 
2013 15.00 - 
18.30 (BXL) 


- Exchange of views with the 
Journalists unveiling the case and 
having made public the facts 



















e Carlos COELHO (MEP), 
former Chair ofthe Temporary 
Committee on the ECHELON 
Interception System 

e Gerhard SCHMID (former 
MEP and Rapporteur of the 
ECHELON report 2001) 

e Duncan CAMPBELL, 

investigative journalist and 

author ofthe STOA report 

"Interception Capabilities 

2000’ 

e Darius ZILYS, Council 

Presidency, Director 

International Law Department, 

Lithuanian Ministry of Justice 





- Follow-up ofthe Temporary 
Committee on the ECHELON 
Interception System 


































12 September 
2013 

10.00 — 12.00 
(STR) 


- Feedback ofthe meeting ofthe 
EU-US Transatlantic group of _ 
experts on data protection of 19/20 
September 2013 - working method 
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(co-chair ofthe EU-US ad hoc 
working group on data 
protection) 

e Paul NEMITZ, Director DG 
JUST, European Commission 
(co-chair ofthe EU-US ad hoc 
working group on data 

^ protection) 

e Reinhard PRIEBE, Director DG 

HOME, European Commission 

(co-chair of the EU-US ad hoc 

working group on data 

protection) 






and cooperation with the LIBE 
Committee Inquiry (In camera) 





































- Exchange of views with Article 
29 Data Protection Working Party 


Jacob KOHNSTAMM, 
Chairman 



























24" September | - Allegations of NSA tapping into Cecilia MALMSTRÓM, 
2013 9.00 — the SWIFT data used in the TFTP Member of the European 
11.30 and programme Commission 
15.00 - 18h30 e Rob WAINWRIGHT, Director 
(BXL) of Europol 

e Blanche PETRE, General 
With AFET Counsel of SWIFT 

























- Feedback of the meeting of the 
EU-US Transatlantic group of . 
experts on data protection of 19/20 
September 2013 


Darius ZILYS, Council 
Presidency, Director 
International Law Department, 
Lithuanian Ministry of Justice 
(co-chair of the EU-US ad hoc 
working group on data 
protection) 

e Paul NEMITZ, Director DG 
JUST, European Commission 
(co-chair of the EU-US ad hoc 
working group on data 
protection) 

e Reinhard PRIEBE, Director DG 
HOME, European Commission 

- (co-chair of the EU-US ad hoc 
-= working group on data 
protection) 

e Jens-Henrik JEPPESEN, 
Director, European Affairs, 
Center for Democracy & 
Technology (CDT) 

e Greg NOJEIM, Senior Counsel 

and Director of Project on 


























- Exchange of views with US Civil 
Society (part I) 
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- Effectiveness of surveillance in 
fighting crime and terrorism in 
Europe 


- Presentation ofthe study on the 
US surveillance programmes and 
their impact on EU citizens’ 
privacy 


- Exchange of views with US Civil 
Society (Part II) 


- Whistleblowers’ activities in the 
field of surveillance and their legal 


| protection 


- Allegations of ‘hacking’ / tapping 
into the Belgacom systems 

by intelligence services (UK 
GCHQ) 


45/52 


Freedom, Security & 
Technology, Center for 
Democracy & Technology 
(CDT) (via videoconference) 


Dr Reinhard KREISSL, 
Coordinator, Increasing 
Resilience in Surveillance 
Societies (IRISS) (via 
videoconference) 


Caspar BOWDEN, Independent 
researcher, ex-Chief Privacy 
Adviser of Microsoft, author of 
the Policy Department note 
commissioned by the LIBE 
Committee on the US 
surveillance programmes and 
their impact on EU citizens' 


Marc ROTENBERG, Electronic 
Privacy Information Centre 
(EPIC) 

Catherine CRUMP, American 
Civil Liberties Union (ACLU) 


Statements by whistleblowers: 
Thomas DRAKE, ex-NSA 
Senior Executive 
J. Kirk WIEBE, ex-NSA Senior 
analyst 
Annie MACHON, ex-MI5 
Intelligence officer 


Statements by NGOs on legal 
protection of whistleblowers: 

e Jesselyn RADACK, lawyer and 
representative of 6 

- whistleblowers, Government 

Accountability Project 
John DEVITT, Transparency 
International Ireland 
Mr Geert STANDAERT, Vice 
President Service Delivery 
Engine, BELGACOM S.A. 
Mr Dirk LYBAERT, Secretary 
General, BELGACOM S.A. 
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e MrFrank ROBBEN, 

Commission de la Protection de 

la Vie Privée Belgique, co- 

rapporteur ‘dossier Belgacom’ 

e Dr. Imke SOMMER, Die 
Landesbeauftragte für 
Datenschutz und 
Informationsfreiheit der Freien 
Hansestadt Bremen 
(GERMANY) 

e Christopher CONNOLLY — 

Galexia 

e Peter HUSTINX, European Data 
Protection Supervisor (EDPS) 


































7” October 
2013 19.00 — 
21.30 (STR) 


- Impact of us surveillance 
programmes on the us safe harbour 


















Ms. Isabelle FALQUE- 
PIERROTIN, President of CNIL 
(FRANCE) 


- impact of us surveillance 
programmes on other instruments 
for international transfers 
(contractual clauses, binding 
corporate rules) 

- Electronic Mass Surveillance of 
EU Citizens and International, 





























14" October 
2013 15.00 - 
18.30 (BXL) 


Martin SCHEININ, Former UN 
Special Rapporteur on the 
promotion and protection of 
human rights while countering 
terrorism, Professor European 
University Institute and leader of 
the FP7 project ‘SURVEILLE’ 












Council of Europe and Judge Bostjan ZUPANCIC, 
Judge at the ECHR (via 


videoconference) 








Douwe KORFF, Professor of 
Law, London Metropolitan 
University 






EU Law 



















- Court cases on Surveillance 


Dominique GUIBERT, Vice- 
Programmes 


- Président of the ‘Ligue des 

. Droits de l'Homme" (LDH) 

‘|e Nick PICKLES, Director of Big 
Brother Watch 

e Constanze KURZ, Computer 
Scientist, Project Leader at 
Forschungszentrum für Kultur 
und Informatik 


- The role of EU IntCen in EU e Mr Ilkka SALMI, Director of EU 
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Intelligence activity (in Camera) 


- National programmes for mass 
surveillance of personal data in EU 
Member States and their 
compatibility with EU law 


- The role of Parliamentary 
oversight of intelligence services at 
national level in an era of mass 
surveillance (Part I) 

(Venice Commission) 


(UK) 


- EU-US transatlantic experts group 


- US surveillance programmes and 
their impact on EU citizens’ 
privacy (statement by Mr Jim 
SENSENBRENNER, Member of 
the US Congress) 


- The role of Parliamentary 
oversight of intelligence services at 


national level in an era of mass 
surveillance (NL,SW))(Part II) 


47/52 


Intelligence Analysis Centre 
(IntCen) 


Dr. Sergio CARRERA, Senior 
Research Fellow and Head ofthe 
JHA Section, Centre for 
European Policy Studies (CEPS), 
Brussels | 

Dr. Francesco RAGAZZI, 
Assistant Professor in 
International Relations, Leiden - 


. University 


Mr Iain CAMERON, Member of 
the European Commission for 
Democracy through Law - 
“Venice Commission’ 

Mr Ian LEIGH, Professor of 
Law, Durham University 

Mr David BICKFORD, Former 
Legal Director of the Security 
and intelligence agencies MI5 
and MI6 

Mr Gus HOSEIN, Executive 
Director, Privacy International 


Mr Paul NEMITZ, Director - 
Fundamental Rights and 
Citizenship, DG JUST, European 
Commission 

Mr Reinhard PRIEBE, Director - 


. Crisis Management and Internal 


Security, DG Home, European 
Commission 

Mr Jim SENSENBRENNER, US 
House of Representatives, 
(Member of the Committee on 
the Judiciary and Chairman of 


- the Subcommittee on Crime, 


Terrorism, Homeland Security, 
and Investigations) 


Mr Peter ERIKSSON, Chair of 
the Committee on the 
Constitution, Swedish 
Parliament (Riksdag) 

Mr A.H. VAN DELDEN, Chair 
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ofthe Dutch independent 
Review Committee on the 
Intelligence and Security 
Services (CTIVD 



















ə Ms Dorothee BELZ, Vice- 
President, Legal and Corporate 


- US NSA programmes for 
electronic mass surveillance and 






the role of IT Companies Affairs Microsoft EMEA 
(Microsoft, Google, Facebook) (Europe, Middle East and 
Africa) 





e Mr Nicklas LUNDBLAD, 
Director, Public Policy and 
Government Relations, Google 

e Mr Richard ALLAN, Director 
EMEA Public Policy, Facebook 






















14" November 








- IT Security of EU institutions Mr Giancarlo VILELLA, 


2013 15.00 — | (Part I) (EP, COM (CERT-EU), Director General, DG ITEC, 
18.30 (BXL) (eu-LISA) European Parliament. 
e Mr Ronald PRINS, Director and 


With AFET 
: co-founder of Fox-IT 

Mr Freddy DEZEURE, head of 

task force CERT-EU, DG 

DIGIT, European Commission 

e MrLuca ZAMPAGLIONE, 

‘Security Officer, eu-LISA 




















- The role of Parliamentary 
oversight of intelligence services at 
national level in an era of mass 
surveillance (Part III)(BE, DA) 







Mr Armand DE DECKER, Vice- 

Chair of the Belgian Senate, 

Member of the Monitoring 

Committee of the Intelligence 

Services Oversight Committee 

e Mr Guy RAPAILLE, Chair of 
the Intelligence Services 
Oversight Committee (Comité 
R) 

e Mr Karsten LAURITZEN, 
Member of the Legal Affairs 

"^. Committee, Spokesperson for 

Legal Affairs — Danish Folketing 

Dr Adam BODNAR, Vice- 

President of the Board, Helsinki 

Foundation for Human Rights 

(Poland 

e Mr Michael TETZSCHNER, 

member of The Standing 
_ Committee on Scrutiny and 


































18 November 


2013 19.00 — 
21.30 (STR) 








- Court cases and other complaints - 
on national surveillance programs 
(Part IT) (Polish NGO) 



































2™ December 
2013 15.00 — 
18.30 (BXL) 


- The role of Parliamentary 
oversight of intelligence services at 
national level in an era of mass 
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Constitutional Affairs, Norway 
. . (Stortinget) 


e Mr Olivier BURGERSDIIK, 
Head of Strategy, European 
Cybercrime Centre, EUROPOL 

e Prof. Udo HELMBRECHT, 
Executive Director of ENISA 

e Mr Florian WALTHER, 
Independent IT-Security 
consultant — 

e Mr Jonathan GOLDSMITH, 

Secretary General, Council of 

Bars and Law Societies of 

Europe (CCBE) 

Ms Viviane REDING, Vice 

President of the European 

Commission 


FEES surveillance (Part IV) (Norway) 


5" December | - IT Security of EU institutions 
2013, 15.00 — | (Part IT) 
18.30 (BXL) | 





















































- The impact of mass surveillance 
on confidentiality of lawyer-client 
relations 











9™ December 


2013 
(STR) 


- Rebuilding Trust on EU-US Data 
flows 


















e Mr Arcadio DIAZ TEJERA, 
Member of the Spanish Senate, - 
Member of the Parliamentary 
Assembly of the Council of 
Europe and Rapporteur on its 
Resolution 1954 (2013) on 

*National security and access to 

information’ 

Ms Vanessa GRAZZIOTIN, 


- Council of Europe Resolution 
1954 (2013) on “National security 
and access to information’ 

































177-18 Parliamentary Committee of 


December Inquiry on Espionage ofthe Chair of the Parliamentary 
(BXL) Brazilian Senate Committee of Inquiry on 
(Videoconference) Espionage 





e Mr Ricardo DE REZENDE 
. FERRACO, Rapporteur of the 
Parliamentary Committee of 
Inquiry on Espionage 















IT means of protecting privacy Mr Bart PRENEEL, Professor in 


Computer Security and Industrial 
Cryptography in the University 
- KU Leuven, Belgium 

e Mr Stephan LECHNER, 
Director, Institute for the 
Protection and Security ofthe 
Citizen (IPSC), - Joint Research 
Centre(JRC), European 
Commission 

e Dr. Christopher SOGHOIAN, 

Principal Technologist, Speech, 
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Privacy & Technology Project, 
American Civil Liberties Union 
Christian HORCHERT, IT- 
Security Consultant, Germany 


Exchange of views with the Mr Glenn GREENWALD, 

Journalist having made public the Author and columnist with a 

facts (Part II) (Videoconference) focus on national security and 
civil liberties, formerly of the 
Guardian | 
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ANNEX Ill: LIST OF EXPERTS WHO DECLINED PARTICIPATING IN THE LIBE 
INQUIRY PUBLIC HEARINGS 


]. Experts who declined the LIBE Chair's Invitation 
US 


e MrKeith Alexander, General US Army, Director NSA! 
e Mr Robert S. Litt, General Counsel, Office of the Director of National Intelligence? 


e Mr Robert A. Wood, Chargé d'affaires, United States Representative to the European 
Union 


United Kingdom 


e Sir Jain Lobban, Director of the United Kingdom's Government Communications 
Headquarters (GCHQ) 


France 


e M. Bajolet, Directeur général de la Sécurité Extérieure, France 


e M. Calvar, Directeur Central de la Sécurité Intérieure, France 
Netherlands 


e Mr Ronald Plasterk, Minister of the Interior and Kingdom Relations, the Netherlands 
e Mr Ivo Opstelten, Minister of Security and Justice, the Netherlands 


Poland 


e Mr Dariusz Luczak, Head of the Internal Security Agency of Poland 
* Mr Maciej Hunia, Head of the Polish Foreign Intelligence Agency 


Private IT Companies 


e Tekedra N. Mawakana, Global Head of Public Policy and Deputy General Counsel, 
Yahoo i 


e Dr Saskia Horsch, Senior Manager Public Policy, Amazon 
EU Telecommunication Companies | 


e Ms Doutriaux, Orange 
e Mr Larry Stone, President Group Public & Government Affairs British Telecom, UK 


! The Rapporteur met with Mr Alexander together with Chairman Brok and Senator Feinstein in Washington on 
29" October 2013. 
? The LIBE delegation met with Mr Litt in Washington on 29" October 2013. 
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e Telekom, Germany 


e Vodafone 
2. Experts who did not respond to the LIBE Chair's Invitation 
Germany 

e Mr Gerhard Schindler, Präsident des Bundesnachrichtendienstes 
Netherlands 


e Ms Berndsen-Jansen, Voorzitter Vaste Kamer Commissie voor Binnenlandse Zaken 
Tweede Kamer der Staten-Generaal, Nederland 
e Mr Rob Bertholee, Directeur Algemene Inlichtingen en Veiligheidsdienst (AIVD) 


Sweden 


o e Mr Ingvar Äkesson, National Defence Radio Establishment 
| (Försvarets radioanstalt, FRA) 
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Dokument 2014/0109527 


Von: Gitter, Rotraud, Dr. 

Gesendet: Dienstag, 4. März 2014 10:53 

An: ReglT3 

Betreff: WG: EILT SEHR - Bitte um Mitzeichnung: Stellungnahme zum Entwurf eines 


konsolidierten Berichts des LIBE-Komitees zu Überwachungsprogrammen u.a. 
der US-amerikanischen NSA 


Wichtigkeit: Hoch 
z. Vg. 


i.A. 
R. Gitter 


Dr. Rotraud Gitter LL.M. Eur. 
Bundesministerium des Innern 
Referat IT 3 - IT-Sicherheit 
Alt-Moabit 101 D 

10559 Berlin 

Tel: +49-30-18681-1584 

Fax: +49-30-18681-51584 


Von: Gitter, Rotraud, Dr. 

Gesendet: Montag, 3. Márz 2014 14:27 

An: OESI3AG 

Cc: Jergl, Johann; Weinbrenner, Ulrich 

Betreff: WG: EILT SEHR - Bitte um Mitzeichnung: Stellungnahme zum Entwurf eines konsolidierten 
Berichts des LIBE-Komitees zu Überwachungsprogrammen u.a. der US-amerikanischen NSA 
Wichtigkeit: Hoch 


LieberJohann, 
die Bitte um Billigung nehme ich natürlich zurück! 


IT3 istan derursprünglichen Stellungnahme zum Entwurf des LIEBE-Berichts im Januar 2014, auf den 
inder zur Mitzeichnung übersandten LV nebst Anlagen Bezug (u.a. an das DEU Ausschuss-Mitgl ied) 
genommen wird nicht beteiligt worden. Eine Mitzeichnung kann daher nur mitfolgender Anmerkung 
erfolgen: 


Gs. kann die Stellungnahme zu Entwicklung einer Strategie für eine Europäische (stärker unabhängige) 
IT-Industrie (Nr. 7 im „Digital Habeas-Corpus“) mitgetragen werden. Die diesem Abschnitt 
vorangehenden sehr umfassenden Anwerkungen zur IT-Sicherheit (Ziffern 90bis 109) enthalten aber 


ebenfalls einige aus deutscher Sicht kritische Punkte. Die LV nebst Anlagen kann dahernur mit anliegend 


ersichtlichen Änderungen mitgezeichnet werden, mit denen zumindest auf die wesentlichsten Punkte 
eingegangen wird. 





Bzgl. der Ausführungen zu Cloud-Computing (insbs. Ziffern 69) rege ich eine Beteiligung von IT1an. 
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Fernerbitte ich, IT3 im weiteren Verlauf zu beteiligen. 





14-02-28 Stn Ko... 


i.A. 
R. Gitter 


Dr. Rotraud Gitter LL.M. Eur. 
Bundesministerium des Innern 
Referat IT 3 - IT-Sicherheit 
Alt-Moabit 101 D 

10559 Berlin 

Tel: +49-30-18681-1584 

Fax: 449-30- 18681-51584 


Von: Kurth, Wolfgang 

Gesendet: Montag, 3. März 2014 10:52 

An: Gitter, Rotraud, Dr. 

Betreff: WG: EILT SEHR - Bitte um Mitzeichnung: Stellungnahme zum Entwurf eines konsolidierten 
Berichts des LIBE-Komitees zu Überwachungsprogrammen u.a. der US-amerikanischen NSA 
Wichtigkeit: Hoch : 


Von: Jergl, Johann 

Gesendet: Montag, 3. März 2014 10:48 

An: OESII_; Papenkort, Katja, Dr.; IT3 ; Kurth, Wolfgang; PGDS_; Schiender, Katharina 

Cc: PGNSA; OESI3AG ; Weinbrenner, Ulrich 

Betreff: EILT SEHR - Bitte um Mitzeichnung: Stellungnahme zum Entwurf eines konsolidierten Berichts 
des LIBE-Komitees zu Überwachungsprogrammen u.a. der US-amerikanischen NSA 

Wichtigkeit: Hoch 


Liebe Kolleginnen und Kollegen, 


für Ihre Mitzeichnung beigefügter St-Vorlage zum Entwurf eines konsolidierten Berichts des LIBE- 
Komitees zu Überwachungsprogrammen u.a. der US-amerikanischen NSA wäre ich dankbar; 
è PG DS wegen EU-Datenschutzpaket, Safe Harbor (Sie haben die Stellungnahme zur 
Entwurfsfassung des Berichts im Januar mitgezeichnet), 
e ÖSII1 wegen SWIFT(Nr. 4 im „Digital Habeas-Corpus"), 
e [T3 wegen Entwicklung einer Strategie für eine Europäische (stärker unabhängige) IT-Industrie 
(Nr. 8 im „Digital Habeas-Corpus"). 
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Die Änderungen im Vergleich zur Entwurfsfassung des Berichts, die BMI im Januar vorgelegen hat, füge 
ich ebenfalls bei. 





vergleich.docx 


Aufgrund der engen Fristen bitte ich um Ihre Rückmeldung bis heute, 3. März, 13:30 Uhr. 


Mit freundlichen Grüßen, 
Im Auftrag 


Johann Jergl 


Bundesministeriumdes Innern 
Arbeitsgruppe OS | 3 


Alt-Moabit 101 D, 10559 Berlin 
Telefon: 030 18681 1767 
Fax: 030 18681 51767 


E-Mail:johann,jergl & bmi.bund.de 


Internet: www.bmi.bund.de 
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Anhang von Dokument 2014-0109527.msg 


1. 14-02-28 Stn Kosolidierter LIBE-Bericht final IT3.docx 11 Seiten 
2. vergleich.docx 66 Seiten 





1) 
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Anlage 

Projektgruppe NSA Berlin, den 28. Februar 2014 
OS 13 - 52000/4#1 | Hausruf: 1767 
AGL: MinR Weinbrenner 
AGM: MinR Taube 
Ref: ORR Jergl 
Herrn Parlamentarischen Staatssekretär Dr. Krings 
über | Abdruck(e): 

| Herrn PSt Dr. Schróder 
Frau Stn Dr. Haber 
Herrn Abteilungsleiter ÓS 
Herrn Unterabteilungsieiter OS | 
PG DS und die Referate OS II1und!T3 haben mitgezeichnet. 
Betr.: Entwurf eines konsolidierten Berichts des LIBE-Komitees zu Uberwa- 


chungsprogrammen u.a. der US-amerikanischen NSA 


Anlagen: -3- 
1. Votum 


e Billigung der anl. Stellungnahme zu dem konsolidierten Bericht des LIBE- 
Komitees l | 
e Billigung der Zuleitung dieser Stellungnahme an . 
> MdEP Axel Voss über Herrn PSt S (Briefentwurf Anlage 2), 
> MdB Hans-Peter Uhl sowie 
> BKAmt (wie in Anlage 3) 
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Sachverhalt 

Der LIBE-Ausschuss des EP hat auf Grundlage von Expertenbefragungen, Ge- 
sprächen mit US- und EU-Behörden sowie Zeitungsartikeln einen Bericht zu 
Überwachungsprogrammen u.a. der NSA verfasst. Ein Entwurf des nunmehr 
zugeleiteten konsolidierten Berichts lag dem BMI im Januar 2014 zur Prüfung 
vor. 


Im konsolidierten Bericht wird unverändert festgestellt, dass die NSA z T. ge- 
meinsam mit Behórden in UK, Kanada und Neuseeland eine massenhafte 
Überwachung der elektronischen Kommunikation durchführe und dadurch ver- 
mutlich auch Rechte von EU-Bürgern und -Mitgliedstaaten verletze. Er beinhal- 
tet ein breites Maßnahmenbündel: Überprüfung und Anpassung von Abkom- 
men mit den USA, Stárkung von ENISA, dem Europol-Cybercrime-Center 

. (EC3) und dem Europäischen Datenschutzbeauftragten (EDPS), Stärkung der 
IT-Sicherheit und diverse Appelle an die Kommission und die Mitgliedstaaten. 
Schwerpunkt ist ein „Digitaler Habeas Corpus" zum „Schutz der Grundrechte im 
digitalen Zeitalter", der nunmehr acht (im Entwurf vom Januar sieben) Punkte 
beinhaltet. 


Ein Mitarbeiter von MdEP Voss hat Herrn PSt S sowie MdB Uhl um Stellung- 
nahme gebeten. Gleiches begehrt auch Abt. 6 BK-Amt. 


Stellungnahme 

Der Bericht ist im Vergleich zur Entwurfsfassung umfangreich überarbeitet WOr- 
den (Vergleichsfassung in der Anlage 1). Bereits im Januar geäußerte Beden- 
ken sind jedoch weiterhin überwiegend nicht ausgeräumt. Im Einzelnen: 


l. „Digitaler Habeas-Corpus" 
1. Abschluss des Datenschutzpakets in 2014 ; 
Erscheint nicht aussichtsreich. Es sind noch eine Vielzahl bedeutender F rage 


zu klären. Gründlichkeit muss deshalb vor Schnelligkeit gehen. 


2. Abschluss des EU- US-Datenschutzabkommens 
Keine Bedenken. Zuständig ist KOM. 
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3. Aussetzung des Safe-Harbour-Abkommens 


Die Bundesregierung hat sich dafür eingesetzt, zur Verbesserung von Safe 
Harbour in der Datenschutz-Grundverordnung einen rechtlichen Rahmen zu 
schaffen. Falls die Datenschutz-Grundverordnung nicht bis 2015 verabschie- 
det werden kann, kann Safe Harbour auch unter der Richtlinie 95/46 überar- 
beitet und verbessert werden. 


. Aussetzung des TFTP-Abkommens (betr. Zugang zu SWIFT-Daten zur Ter- 


rorismusbekämpfung) bis zum Abschluss des Datenschutzabkommens 
Angesichts der Tatsache, dass die Kommission nach Abschluss ihrer Konsul- 
tationen zu den Vorwürfen, die USA hätten unter Umgehung des TFTP- 
Abkommens direkten Zugriff auf den SWIFT-Server genommen, keine An- 
haltspunkte für einen Verstoß feststellen konnte, besteht derzeit kein Anlass, 


das Abkommen auszusetzen. 


. (neu) Evaluierung sämtlicher Abkommen oder des sonstigen Austauschs mit 


Drittstaaten, auf deren Grundlage es zu einer Verarbeitung personenbezo- 
gener Daten kommt 

Gegenstand soll die mögliche Verletzung des Schutzes dieser Daten durch 
Überwachungsmaß nahmen in den Drittstaaten sein. Ein solches Vorhaben 
würde es erfordern, die Einzelheiten der Überwachungsmaßnahmen von 
Drittstaaten zu kennen oder diese zumindest belastbar einschätzen zu kön- 
nen. Mit einer Bereitschaft zur Offenlegung von Maßnahmen in der hierfür 
notwendigen Detaillierung ist nicht zu rechnen. Daher dürfte ein solches Vor- 
haben nicht aussichtsreich und gleichwohl sehr aufwándig sein. 


. Besserer Schutz der Rechte von EU-Bürgem (ohne Konkretisierung) 


Keine Bedenken. 


. Entwicklung einer Strategie für eine Europäische (stärker unabhängige) IT- 


Industrie (,digital new deal) 


Grundsätzlich Zustimmung; der Koalitionsvertrag beinhaltet eine vergleichba- 


re Maßnahme: 
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„Um Freiheit und Sicherheit im Internet zu schützen, stärken und gestalten 
wir die Internet-Infrastruktur Deutschlands und Europas als Vertrauensraum. 
Dazu treten wir für eine europäische Cybersicherheitsstrategie ein, ergreifen 
Maßnahmen zur Rückgewinnung der technologischen Souveränität, unter- 
stützen die Entwicklung Moderner Staat, innere Sicherheit und 

te vertrauenswürdiger IT - und Netz-Infrastruktur sowie die Entwicklung si- 
cherer Soft- und Hardware und sicherer 

Cloud-T echnologie und begrüßen auch Angebote eines nationalen bzw. eu- 
ropáischen Routings." 


8. EU-Politik als Referenz für demokratische und neutrale Internet- Governance 


Keine Bedenken. 
H. Weitere Punkte 


In seiner Bewertung des Berichtsentwurfs vom Januar 2014 hat BMI überdies 
auf ays deutscher Sicht besonders kritische Punkte hingewiesen und deren 
Streichung angeregt. 


Eine diesbezügliche Ve rbesserung kann lediglich in , Main findings" Nr. 2 des 
konsolidierten Berichts festgestellt werden, wo nun nicht me hr unterstellt 
wird, auch Deutschland betreibe ähnliche Überwachungsprogramme wie 
PRISM. 


Weiterhin enthalten ist jedoch als , Recommendation" Nr. 22 (vorher 20) eine 
Aufforderung auch an Deutschland (als angeblicher Teil eines sog. , 14- 
eyes"-Programms), seine Gesetzgebung zu überprüfen bzw. zu überarbei- 
ten.Die hier einschlägigen deutschen Vorschriften entsprechen den Vorgaben 
aus den entsprechenden Urteilen des Bundesverfassungsgerichts und sind mit 
den Grundrechten vereinbar. Unabhängig davon liegt die nationale Sicherheits- 
gesetzgebung außerhalb der Zuständigkeit der EU und damit auch des EP. 
Deswegen sollte weiterhin die Streichung dieser Empfehlung angestrebt wer- 
den. 
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«__In Recommendation 99 ist durch neue Einfügungen u.a. die expliizite Aufforde- 
rung an die KOM aufgenommen worden, die Ausweitung von Zuständigkeiten 
und Ressourcen bestimmter EU-Einrichtungen mit dem Ziel zu prüfen, dass die- 
se eine Schlüsselrolle bei der Gewährleistung von IT-Sicherheit und der Verhin- 
derung von IT-Angriffen in der EU spielen; ferner soll auch die Einrichtung eines 
speziellen CERT s für die EU und ihre MS geprüft werden. DEU befürwortet eine 
Stárkung der Kapazitáten und eine verbesserte Kooperation der MS im Bereich 
der IT-Sicherheit. Insbesondere im operativen Bereich liegt die Zuständigkeit aber 
bei den Mitgliedstaaten und auch entsprechende Aktivitäten müssen bei den Mitglied- 





" = Formatiert: Deutsch (Deutschland) 
er Hs. ab ,"and to establish within ENISA's structure a Computer Emergency response ee eee) 
@ Team (CERT) for the EU and its Member States’) sollte daher eine Streichungange- ___rormatiert: Deutsch estschsnd) = 

4 strebtwerden 000000... {Formatlert Deus Beier) - 
í 7 Formatiert: Deutsch a Devtcnend) 


Weinbrenner Jergl 
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Anlage 3 


Stellungnahme BMI zum Entwurf eines konsolidierten Berichts des LIBE-Komitees zu 
Überwachungsprogrammen u.a. der US-amerikanischen NSA 


|. „Digitaler Habeas-Corpus" 


1. Abschluss des Datenschutzpakets in 2014 
Erscheint nicht aussichtsreich. Es sind noch eine Vielzahl bedeutender Frage 
zu klären. Gründlichkeit muss deshalb vor Schnelligkeitgehen. 


2. Abschluss des EU-US-Datenschutzabkommens 
Keine Bedenken. Zuständigist KOM. 


3. Aussetzung des Safe-Harbour-Abkommens 
Die Bundesregierung hat sich dafür eingesetzt, zur Verbesserung von Safe 
Harbour in der Datenschutz-Grundverordnung einen rechtlichen Rahmen zu 
schaffen. Falls die Datenschutz-Grundverordnung nicht bis 2015 verabschie- 
det werden kann, kann Safe Harbour auch unter der Richtlinie 95/46 überar- 
beitet und verbessert werden. Die Frage, ob eine Aussetzung des Safe- 
Harbour-Abkommens in Betracht kommt, wird gemeinsam mit unseren euro- 
päischen Partnern in Brüssel erörtert. 


4. Aussetzung des TFTP-Abkommens (betr. Zugang zu SWIFT-Daten zur Ter- 
rorismusbekämpfung) bis zum Abschluss des Datenschutzabkommens 
Angesichts der Tatsache, dass die Kommission nach Abschluss ihrer Konsul- 
tationen zu den Vorwürfen, die USA hätten unter Umgehung des TFTP- 
Abkommens direkten Zugriff auf den SWIFT-Server genommen, keine An- 
haltspunkte für einen Verstoß feststellen konnte, besteht aus unserer Sicht 
derzeit kein Anlass, das Abkommen auszusetzen. 


5. (neu) Evaluierung sämtlicher Abkommen oder sonstigen Austauschs mit 
Drittstaaten, auf deren Grundlage es zu einer Verarbeitung personenbezo- 
gener Daten kommt 
Gegenstand der Evaluierung soll die mögliche Verletzung des Schutzes die- 


-ser Daten durch Überwachungsmaßnahmen in den Drittstaaten sein. Ein sol- 
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ches Vorhaben würde es aus unserer Sicht erfordern, die Einzelheiten der 
Überwachungsmaßnahmen von Drittstaaten zu kennen oder diese zumindest 
belastbar einschätzen zu können. Nach unseren Erfahrungen ist regelmäßig 
nicht mit einer Bereitschaft zur Offenlegung von Maßnahmen in der hierfür 
notwendigen Detaillierung zu rechnen. Daher schätzen wir dieses Vorhaben 
nicht als aussichtsreich und gleichwohl sehr aufwändig ein. 


6. Besserer Schutz der Rechte von EU-Bürgem (ohne Konkretisierung) 
Keine Bedenken. 


7. Entwicklung einer Strategie für eine Europäische (stärker unabhängige) IT- 
Industrie (,digital new deal 
Zustimmung; der Koalitionsvertrag beinhaltet eine vergleichbare Maßnahme: 
„Um Freiheit und Sicherheit im Internet zu schützen, stärken und gestalten 
wir die Internet-Infrastruktur Deutschlands und Europas als Vertrauensraum. 
Dazu treten wir für eine europáische Cybersicherheitsstrategie ein, ergreifen 
Maßnahmen zur Rückgewinnung der technologischen Souveränität, unter- 
stützen die Entwicklung Moderner Staat, innere Sicherheit und 
te vertrauenswürdiger IT- und Netz-Infrastruktur sowie die Entwicklung si- 
cherer Soft- und Hardware und sicherer 
Cloud-T echnologie und begrüßen auch Angebote eines nationalen bzw. eu- 


ropäischen Routings." 


8. EU-Politik als Referenz für demokratische und neutrale Internet-Governance 
Keine Bedenken. 


Il. Weitere Punkte 


In seiner Bewertung des Berichtsentwurfs vom Januar 2014 hat BMI überdies 
auf aus deutscher Sicht besonders kritische Punkte hingewiesen und deren 
Streichung angeregt. 


Eine diesbezügliche Verbesserung kann in , Main findings" Nr. 2 des konsoli- 
dierten Berichts festgestelltwerden, wo nun nicht mehr unterstellt wird, auch 


Deutschland betreibe ähnliche Überwachungsprogramme wie PRISM. 
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Weiterhin enthalten ist jedoch als „Recommendation“ Nr. 22 (vorher 20) eine 
Aufforderung auch an Deutschland (als angeblicher Teil eines sog. „14- . 
eyes" -Programms), seine Gesetzgebung zu überprüfen bzw. zu überarbei- 
ten. Die hier einschlägigen deutschen Vorschriften entsprechen den Vorgaben 
aus den entsprechenden Urteilen des Bundesverfassungsgerichts und sind mit 
den Grundrechten vereinbar. Unabhängig davon liegt die nationale Sicherheits- 
gesetzgebung außerhalb der Zuständigkeit der EU und damit auch des EP. 
Deswegen wird weiterhin die Streichung dieser Empfehlung für notwendig er- 
achtet. l 


e__In Recommendation 99 ist durch neue Einfügungen u.a. die expliizite Aufforde- 


rung an die KOM aufgenommen worden, die Ausweitung von Zuständigkeiten 
und Ressourcen bestimmter EU-Einrichtungen mit dem Zie! zu prüfen, dass die- 
se eine Schlüsselrolle bei der Gewährleistung von IT-Sicherheit und der Verhin- 
derung von IT-Angriffen in der EU spielen; ferner soll auch die Einrichtung eines 
speziellen CERTs für die EU und ihre MS geprüft werden. DEU befürwortet eine 
Stárkung der Kapazitáten und eine verbesserte Kooperation der MS im Bereich 
der IT-Sicherheit. Insbesondere im operativen Bereich liegt die Zuständigkeit aber 
bei den Mitgliedstaaten und auch entsprechende Aktivitáten müssen bei den Mitglied- 





zer Hs. ab “and to establish within ENISA's structure a Computer Emergency response 
Team (CERT) for the EU and its Member States") sollte daher eine Streichung ange- 


strebt werden. 
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Anlage 2 


BriefentwurfPStS 


Herrn 

Axel Voss, MdEP 
Europäisches Parlament 
. ASP 15 E 150 

Rue Wiertz 


B-1047 Brüssel 


Sehr geehrter Herr Abgeordneter, 


für die Zusendung des konsolidierten Berichtsentwurfs des LIBE-Komitees danke 
ich Ihnen herzlich. Gerne nutze ich die Gelegenheit, aus Sicht des BMI hierzu 
Stellung zu nehmen, und móchte auf folgende mir besonders wichtige erschei- 
nende Abschnitte eingehen: 


|. „Digitaler Habeas-Corpus“ 


1. Abschluss des Datenschutzpakets in 2014 
Nach hiesiger Einschätzung des momentanen Verhandlungsstandes er- 
scheint dies nicht aussichtsreich. Es sind noch eine Vielzahl bedeutender 
Frage zu klären. Gründlichkeit muss deshalb vor Schnelligkeit gehen. 


2. Abschluss des EU-US-Datenschutzabkommens 
Gegen dieses Vorhaben im Zuständigkeitsbereich der KOM habe ich keine 
Einwände. 


3. Aussetzung des Safe-Harbour-Abkommens 
Die Bundesregierung hat sich dafür eingesetzt, zur Verbesserung von Safe 
Harbour in der Datenschutz-Grundverordnung einen rechtlichen Rahmen zu 
schaffen. Falls die Datenschutz-Grundverordnung nicht bis 2015 verabschie- 
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det werden kann, kann Safe Harbour auch unter der Richtlinie 95/46 überar- 
beitet und verbessert werden. 


. Aussetzung des TFTP-Abkommens (betr. Zugang zu SWIF T-Daten zur Ter- 
rorismusbekämpfung) bis zum Abschluss des Datenschutzabkommens 
Angesichts der Tatsache, dass die Kommission nach Abschluss ihrer Konsul- 
tationen zu den Vorwürfen, die USA hätten unter Umgehung des TFTP- 
Abkommens direkten Zugriff auf den SWIFT-Server genommen, keine An- 
haltspunkte für einen Verstoß feststellen konnte, besteht aus meiner Sicht 


derzeit kein Anlass, das Abkommen auszusetzen. 


. Evaluierung sämtlicher Abkommen oder sonstigen Austauschs mit Drittstaa- 
ten, auf deren Grundlage es zu einer Verarbeitung personenbezogener Da- 
ten kommt 

Gegenstand der Evaluierung soll die mögliche Verletzung des Schutzes die- 
ser Daten durch Überwachungsmaß nahmen in den Drittstaaten sein. Ein sol- 
ches Vorhaben würde es aus meiner Sicht erfordern, die Einzelheiten der 
Überwachungsmaßnahmen von Drittstaaten zu kennen oder diese zumindest 
belastbar einschätzen zu können. Erfahrungsgemäß ist regelmäßig nicht mit 
einer Bereitschaft zur Offenlegung von Maßnahmen in der hierfür notwendi- 
gen Detaillierung zu rechnen. Daher schätze ich dieses Vorhaben nicht als 
aussichtsreich und gleichwohl sehr aufwändig ein. 


. Besserer Schutz der Rechte von EU-Bürgem (ohne Konkretisierung) 
Keine Bedenken. 


. Entwicklung einer Strategie für eine Europäische (stärkerunabhängige) IT- 
Industrie („digitalnew deal) 

Zustimmung; der Koalitionsvertrag beinhaltet eine vergleichbare Maßnahme: 
„Um Freiheit und Sicherheit im Internet zu schützen, stärken und gestalten 
wir die Internet-Infrastruktur Deutschlands und Europas als Vertrauensraum. 
Dazu treten wir für eine europäische Cybersicherheitsstrategie ein, ergreifen 
Maßnahmen zur Rückgewinnung der technologischen Souveränität, unter- 
stützen die Entwicklung Moderner Staat, innere Sicherheit und 
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te vertrauenswürdiger IT - und Netz-Infrastruktur sowie die Entwicklung si- 
cherer Soft- und Hardware und sicherer 

Cloud-Technologie und begrüßen auch Angebote eines nationalen bzw. eu- 
ropäischen Routings." 


8. EU-Politik als Referenz für demokratische und neutrale Internet- Governance : 


Keine Bedenken. 
Il. Weitere Punkte 


In seiner Bewertung des Berichtsentwurfs vom Januar 2014 hat BMI überdies 
auf aus deutscher Sicht besonders kritische Punkte hingewiesen und deren 


Streichung angeregt. 


Eine diesbezügliche Verbesserung kann ich in , Main findings" Nr. 2 des konso- 
lidierten Berichts feststellen, wo nun nicht mehr unterstellt wird, auch Deutsch- 


land betreibe áhnliche Überwachungsprogramme wie PRISM. 


Weiterhin enthalten ist jedoch als Recommendation" Nr. 22 eine Aufforderung 
auch an Deutschland (als angeblicher Teil eines sog. , 14-eyes"-Programms), 
seine Gesetzgebung zu überprüfen bzw. zu überarbeiten. Die hier einschlä- 
gigen deutschen Vorschriften entsprechen den Vorgaben aus den entspre- 
chenden Urteilen des Bundesverfassungsgerichts und sind mit den Grundrech- 
ten vereinbar. Unabhängig davon liegt die nationale Sicherheitsgesetzgebung 
außerhalb der Zuständigkeit der EU und damit auch des EP. 


Deswegen erachte ich weiterhin die Streichung dieser Empfehlung für notwen- 
dig und wäre Ihnen dankbar, wenn Sie dies mit einem entsprechenden Ände- 


rungsantrag unterstützen könnten. 
Mit freundlichen Grüßen 


N.d.H.PStS 
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MOTION FOR A EUROPEAN PARLIAMENT RESOLUTION 


on the US NSA surveillance programme, surveillance bodies in various Member States and 
their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and 
Home Affairs 

(2013/2188(INT)) 


The European Parliament, 


— having regard to the Treaty on European Union (TEU), in particular Articles 2, 3, 4, 5, 
6, 7, 10, 11 and 21 thereof, 


— having regard to the Treaty on the Functioning of the European Union (TFEU), in 
particular Articles 15, 16 and 218 and Title V thereof, 


— having regard to Protocol 36 on transitional provisions and Article 10 thereof and to 
Declaration 50 concerning this protocol, 


— having regard to the Charter on Fundamental Rights of the European Union, in 
particular Articles 1, 3, 6, 7, 8, 10, 11, 20, 21, 42, 47, 48 and 52 thereof, 


— having regard to the European Convention on Human Rights, notably #s-Articles 6, 8, 
9, 10 and 13 thereof, and the protocols thereto, 





- having regard to the Universal Declaration of Human Rights, notably its-Artic les 7, 8, 
10,11,12 and 14 thereof!, 


— having regard to the International Covenant on Civil and Political Rights, notably its 
Articles 14, 17, 18 and 19 thereof. 





- having regard to the Council of Europe Convention on Data Protection (ETS No 108) 
and #sthe Additional Protocol of 8 November 2001 to the Convention for the | 
Protection of Individuals with regard to Automatic Processing of Personal Data 
regarding supervisory authorities and transborder data flows(ETS No 181), 


_ having regard to the Vienna Convention on Diplomatic Relations, notably Articles 24, 
27 and 40 thereof. 





— having regard to the Council of Europe Convention on Cybercrime (ETS No 185), 

_ having regard to the Repertreport ofthe UN Special Rapporteur onthe promotionand | 
protection of human rights and fundamental freedoms while Countering terrorism, 
submitted on 17 May 20102, 


— having regard to the Repertreport of the UN Special Rapporteur on the promotion and | 


| http:/www.un.ore/en/doc ts 
? http://daccess-dds-ny.wn. /G10/134/] E 410.pdf?OpenElement 
PERMIOI4J03EN-RRM 0207 13EN.doc 3/66 PE526.0853:02v03-00 
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protection of the right to freedom of opinion and expression, submitted on 17 April 
2013!, ; l . 


— having regard to the Guidelines on human rights and the fight against terrorism 
* adopted by the Committee of Ministers of the Council of Europe on 11 July 2002, 


— having regard to the Declaration of Brussels of 1 October 20 10, adopted at the 6th 
Conference of the Parliamentary Committees for the Oversight of Intelligence and 
Security Services of the European Union Member States, 


— having regard to Council of Europe Parliamentary Assembly Resolution No 1954 
(2013) on national security and access to information, 


— having regard to thereport on the democratic oversight of the security services 
adopted by the Venice Commission on 11 June 2007", and expecting with great 
interest the update thereof, due in spring 2014, 


— having regard to the testimonies of the representatives of the oversight committees on 
intelligence of Belgium, the Netherlands, Denmark and Norway, 


— having regard to the cases lodged before the French’, Polish and British* courts, as 
well as before the European Court of Human Rights‘, in relation to systems of mass 
surveillance, 


_ having regard to the Convention established by the Council in accordance with Article 
34 of the Treaty on European Union on Mutual Assistance in Criminal Matters 
between the Member States of the European Union, and in particular to T itle III 
thereof*, 


- having regard to Commission Decision 520/2000 of 26 J uly 2000 on the adequacy of 
the protection provided by the Safe Harbour privacy principles and the related 
frequently asked questions (FAQs) issued by the US Department of Commerce, 


| - having regard to the CommissionC ommission’s assessment reports on the 
* implementation of the Safe Harbour privacy principles of 13 February 2002 
(SEC(2002)1960196) and of 20 October 2004 (SEC(2004)1323), 


— having regard to the Commission Cemmunieatiencommunication of 27 November 
2013 (COM(2013)8470847) on the functioning of the Safe Harbour from the 
perspective of EU citizens and companies established in the EU, and to the 


: http:/www.ohchr.org/Document s/HRBodies/HRCouncil/RegularSession/Session23/A. HRC.23 .40 EN.pdf 
Dou enice-eos-in ebtormsdocumentDL-A J- 20 L-6-a52 









> La Fédération Intemationale des Ligues des Droits de l'Homme and La Ligue française pour la défense des 
droits de l'Homme et du Citoyen againstv. X; Tribunal de Grande Instance of Paris. 

“ Cases by Privacy International and Liberty in the Investigatory Powers Tribunal. 

5 Joint Application Under Article 34 of Big Brother Watch, Open Rights Group, English PeaP EN and Dr 
Constanze Kurz (-Applicante)J—-applicants) v—. United Kingdom (Respendentrespondent). 

€ OJ C 197, 12.7.2000, p. 1. 
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Commission Cemmunieatiescommunication of 27 November 2013 on rebuilding trust 
in EU-US data flows (COM(2013)8460846), 


_ having regard to the-European-Parliamentits resolution of 5 July 2000 on the Draft ` 
Commission Decision on the adequacy of the protection provided by the Safe Harbour 
privacy principles and related frequently asked questions issued by the US Department 
of Commerce, which took the view that the adequacy of the system could not be 
confirmed!, and to the Opinions ofthe Article29 Working Party, more particularly 
Opinion 4/2000 of 16 May 20007, 


- having regard to the agreements between the United States of America and the 


European Union on the use and transfer of passenger name records (PNR agreement) 
of 2004, 2007? and 20124, 


— having regard to the Joint Review of the implementation of the Agreement between 
the EU and the USA on the processing and transfer of passenger name records to the 
US Department of Homeland Security?, accompanying the report from the 
Commission to the European Parliament and to the Council on the joint review 
(COM(2013)8440844), 


- having regard to the opinion of Advocate-General Cruz Villalón concluding that 
Directive 2006/24/EC on theretention of data generated or processed in connection 
with the provision of publicly available electronic communications services or of 
public communications networks is as a whole incompatible with Article 52(1) of the 
Charter of Fundamental Rights of the European Union and that Article 6 thereof is 
incompatible with Articles 7 and 52(1) of the Charter‘, 


— . having regard to Council Decision 2010/412/EU of 13 July 2010 on the conclusion of 
the Agreement between the European Union and the United States of America on the 
processing and transfer of Financial Messaging Data from the European Union to the 
United States for the purposes of the Terrorist Finance Tracking Program (TFTP)’ and 
the accompanying declarations by the Commission and the Council, 


— having regard to the Agreement on mutual legal assistance between the European 
Union and the United States of America?, 


— having regard to the ongoing negotiations on an EU-US framework agreement on the 
protection of personal data when transferred and processed for the purpose of 
preventing, investigating, detecting or prosecuting criminal offences, including 
terrorism, in the framework of police and judicial cooperation in criminal matters (the 


l! OJ C 121, 24.42001, p. 152. 
//ec.europa.ewjustice/policies/pr /docs/ cs/2000/wp32en 
* OJ L 204, 4.8.2007, p.18. 
“OJ L 215, 11.82012, p. 5. 
$ SEC(2013)6300630, 27.11.2013. | 
$ Opinion of Advocate General Cruz Villalón, 12 December 2013, Case C-293/12. 
7 QJ L 195, 27.7.2010, p. 3. 
* OJ L 181, 19.7 2003, p. 34, l | 
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‘Umbrella agreement’), 


- having regard to Council Regulation (EC) No 2271/96 of 22 November 1996 
protecting against the effects of the extra-territorial application of legislation adopted 
by a third country, and actions based thereon or resulting therefrom!, 


— having regard to the statement by the President of the Federative Republic of Brazil at 
the opening of the 68th session of the UN General Assembly on 24 September 2013 
and to the work carried out by the Parliamentary Committee of Inquiry on Espionage 
established by the Federal Senate of Brazil, 


_ having regard to the USUSA PATRIOT Act signed by President George W. Bush on 
26 October 2001, 


— having regard to the Foreign Intelligence Surveillance Act (FISA) of 1978 and the 
FISA Amendments Act of 2008, 


— having regard to Executive Order No 12333, issued by the US President in 1981 and 
amended in 2008, 


— having regard to the Presidential Policy Directive (PPD-28) on Signals Intelligence 
Activities, issued by US President Barack Obama on 17 J anuary 2014, 


- having regard to legislative proposals currently under examination in the US Congress, 
in-partieular including the draft US Freedom Act, the draft Intelligence Oversight and 


Surveillance Reform Act. and others. | Formatiert: Schriftart: Times New 
purvemance KeTorm Act.andotners. — — — — O OOOO RM | 
Roman 


_ having regard to the reviews conducted by the Privacy and Civil Liberties Oversight 
Board, the US National Security Council and the President! s Review Group on 
Intelligence and Communications Technology, particularly the report by the latter of 
12 December 2013 entitled ‘Liberty and Security in a Changing World’, 





— having regard to the ruling of the United States District Court for the District of 
Columbia, Klayman et al. v Obama et al., Civil Action No 13-0851 of 16 December 


2013, and to theruling of the United States District Court for the Southern District of 
New York, ACLU etal. v James R. Clapper et al., Civil Action No 13-3994 of 11 June 


2013, mc RC 7| Formatiert: Schriftart: Times New 
m. M À— HÀ MM MÀ M MÀ M MÀ MÓÀ———— nn te Roman 


— having regard to the report on the findings by the EU Co-Chairs of the ad hoc EU-US 
Working Group on data protection of 27 November 2013?, 


- having regard to its resolutions of 5 September 2001 and 7 November 2002 on the 
existence of a global system for the interception of private and commercial 
communications (ECHELON a system), 


— having regard to its resolution of 21 May 2013 on the EU Charter: standard settings 





,9 L 309, 29.11.1996, p.1. 
? Council document 16987/13. 
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for media freedom across the EU’, 


- having regard to its resolution of 4 July 2013 on the US National Security Agency 
surveillance programme, surveillance bodies in various Member States and their . 
impact on EU citizens, whereby it instructed its Committee on Civil Liberties, Justice 
and Home Affairs to conduct an in-depth inquiry into the matter ?, 


- having regard to working document 1 on the US and EU Surveillance programmes and 
their impact on EU citizens fundamental rights, 


— having regard to working document 3 on the relation between the surveillance 
practices in the EU and the US and the EU data protection provisions, 


— having regard to working document 4 on US Surveillance activities with respect to EU 
data and its possible legal implications on transatlantic agreements and cooperation, 


= having regard to working document 5 on democratic oversight of Member State 
intelligence services and of EU intelligence bodies, 


_ having regard to its resolution of 23 October 2013 on organised crime, corruption and 
money laundering: recommendations on action and initiatives to be taken?, 


— having regard to its resolution of 23 October 2013 on the suspension of the TFTP 
agreement as a result of US National Security Agency surveillance‘, 


— having regard to its resolution of 10 December 2013 on unleashing the potential of 
cloud computing’, 


- having regard to the interinstitutional agreement between the European Parliament and 
the Council concerning the forwarding to and handling by the European Parliament of 
classified information held by the Council on matters other than those in the area of 
the common foreign and security policy$, 


— having regard to Annex VIII of its Rules of Procedure, 
— having regard to Rule 48 of its Rules of Procedure, 


— having regard to the report of the Committee on Civil Liberties, Justice and Home 


Affairs (70000/201347-0139/2014), 


The impact of mass surveillance 


AA. whereas data protection and privacy are fundamental rights; whereas security | 


| Texts adopted, P7_TA(2013)0203. ; 
Texts adopted, P7 TA-£(2013)0322. l | 
> Texts adopted, P7_TA(2013)0444. i 
^ Texts adopted, P7_TA(2013)0449. 
5 Texts adopted, P7 TA(2013)0535. 
* OJ C 353 E, 3.12.2013, p.156-167. | 
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measures, including counterterrorism measures, must therefore be pursued through the 
rule of law and must be subject to fundamental rights obligations, including those 
relating to privacy and data protection: 


whereas the ties between Europe and the United States of America are based on the 
spirit and principles of democracy, the rule of law, liberty, justice and solidarity; 


whereas cooperation between the US and the European Union and its Member States 
in counter-terrorism remains vital for the security and safety of both partners; 


i whereas mutual trust and understanding are key factors in the transatlantic dialogue 


and partnership; 
whereas infollowing 11 September 2001 


-thesverld entered a new-phasewhich resulted 
in, the fight against terrorism beinz-listed-amengbecame one of the top priorities of 


most governments; whereas the revelations based on Jeaked-documents frem+-Edward 
Snowden, leaked by the former NSA contractor, Edw ard Snow den put democratically 
eleetedpolitical leaders under asthe obligation to address the challenges of the 
inereasing capabilities-ofoversecing and controlling intelligence agencies in 


surveillance activities and assessing the impact of their implieatiens-for-the activities 
on fundamental rights and the rule of law in a democratic society; 


whereas the revelations since June 2013 have caused numerous concems within the 
EU as to: 


IL the extent of the surveillance systems revealed both in the US and in EU 


Member States; 


. the-high-+risk-ef violation of EU legal standards, fundamental rights and data 
protection standards; 


. the degree of trust between the EU and the US as transatlantic partners; 


e the degree of cooperation and involvement of certain EU Member States with 
US surveillance programmes or equivalent programmes at national level as 
unveiled by the media; 


. *— ——the degreelack of control and effective oversight by the US political «~~ 
authorities and certain EU Member States over their intelligence communities; 
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. the possibility of these mass surveillance operations being used for reasons 
other than national security and the stziet-fight against terrorism in the strict 
sense, for example economic and industrial espionage or profiling on political 
grounds; 


. the undermining of press freedom and of communications of members of 
professions with a confidentiality privilege, including lawyers and doctors; 


. the respectiveroles and degree of involvement of intelligence agencies and 
private IT and telecom companies; 





. the increasingly blurred boundaries between law enforcement and intelligence 
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activities, leading to every citizen being iud as a suspect and being subject 
to surveillance; 
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. the threats to privacy in a digital era; eT 





EG. whereas the unprecedented magnitude of the espionage revealed requires full 
| investigation by the US authorities, the European Institutiensinstitutions and 
MembersMember States’ governments-and, national parliaments; and judicial 
authorities; 





EH. whereas the US authorities have denied some of the information revealed but have not 
contested the vast majority of it; whereas the public debate has developed on a large 
scale in the US and in atimited aumberefcertain EU Member States; whereas EU 
governments and parliaments too often remain silent and fail to launch adequate 
investigations; 


GI. whereas President Obama has recently announced a reform of the NSA and its 
surveillance programmes; 


J. whereas in comparison to actions taken both by EU institutions and by certain EU 
Member States, the European Parliament has taken very seriously its obligation to 
shed light on the revelations on the indiscriminate practices of mass surveillance of 
EU citizens and, by means of its resolution of 4 July 2013 on the US National Security 
Agency surveillance programme, surveillance bodies in various Member States and 
their impact on EU citizens, instructed its Committee on Civil Liberties. Justice and 
Home Affairs to conduct an in-depth inquiry into the matter; 


K. whereas it is the duty of the European Institutiensinstitutions to ensure that EU law is 
fully implemented for the benefit of European citizens and that the legal force of the 
EU Treaties is not undermined by a dismissive acceptance of ea effects of 
third countries’ standards or actions; 


Developments in the US on reform of intelligence 


HL. whereas the District Court for the District of Columbia, in its Decision of 16 | 
December 2013, has ruled that the bulk collection of metadata by the NSA is in breach 
of the Fourth Amendment to the US Constitution]; : whereas, however the District — | .—( Formatiert: A bsatz-Standardschriftart 
Court for the Southern District of New York ruled i in its Decision of 27 December 
2013 that this collection was law ful: 








IM. whereas a Decision of the District Court for the Eastern District of Michigan has ruled 
that the Fourth Amendment requires reasonableness in all searches, prior warrants for 
any reasonable search, warrants based upon prior-existing probable cause, as well as 
particularity as to persons, place and things and the interpasition of a neutral 





: i- Klayman e et al. v l. v Obama et al., ‚Civil ‚Action No 13-0851, 16 6 December 2X 2013. — a Te O O N = | Formatiert: F unotenzeichen 
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magistrate between Exeeutiveexecutive branch enforcement officers and citizens’; 


JN. whereas in its report of 12 December 2013, the President's Review Group on 
Intelligence and Communication Technology proposes 4546 recommendations to the 
President of the USUnited States; whereas the recommendations stress the need 
simultaneously to protect national security and personal privacy and civil liberties; 
whereas in this regard it invites the US Government; to end bulk collection of phone 
records of US persons under Section 215 of the Patriot USA PATRIOT Act as soon as 
practicable;; to undertake a thorough review of the NSA and the US intelligence legal 
framework in order to ensure respect for the right to privacy-: to end efforts to subvert 
or make vulnerable commercial software (backdoors and malware}-); to increase the 
use of encryption, particularly in the case of data in transit, and not to undermine 
| efforts to create encryption standards; to create a Public Interest Advocate to represent 
privacy and civil liberties beforethe Foreign Intelligence Surveillance Court;; to 
confer on the Privacy and Civil Liberties Oversight Board the power to oversee 
e Intelligence Community activities for foreign intelligence purposes, and not only for 
counterterrorism purposes;; and to receive whistleblowers’ complaints, to use Mutual 
Legal Assistance Treaties to obtain electronic communications, and not to use 
surveillance to steal industry or trade secrets; 


KO. whereas, according to an open memorandum submitted to President Obama by.Former 
NSA Senior Executives/Veteran Intelligence Professionals for Sanity ( VIPS) on 7 
January 2014,“ the massive collection of data does not enhance the ability to prevent 
future terrorist attacks; whereas the authors stress that mass surveillance conducted by 
the NSA has resulted in the prevention of zero attacks and that billions of dollars have 
been spent on programmes which are less effective and vastly more intrusive on 
citizens' privacy than an in-house technology called THINTHREAD that was created 





in 2001; 
P, ____whereasi in respect of of f intelligence activities abeutconcernin g non-US persons u under uo" Formatiert: Schriftart: 12 Pt. 


Section 702 of FISA, the Recommendations to the President of the USA rec ognise the 
| fundamental issueprinciple of respect for privacy and human dignity as enshrined in 

Article 12 of the Universal Declaration of Human Rights and Article 17 of the 

International Covenant on Civil and Political Rights; whereas they do not recommend 


granting non-US persons the same rights and protections as US persons 5 "| Formatiert: Schriftart: 12 Pt. 


whereas in his Presidential Policy Directive on Si 


January 2014 and the related speech, US President Barack Obama stated that mass 
electronic surveillance is necessary for the United States to protect its national 
security, its citizens and the citizens of US allies and partners, as well as to advance its 
foreign policy interests; whereasthis policy directive contains certain principles 
regarding the collection, use and sharing of signals intelligence and extends certain 
safeguards to non-US persons, partly providing for treatment equivalent to that 
enjoyed by US citizens, including safeguards for the personal information of all 
individuals regardless of their nationality or residence: w héreas, however, President 








l oe v. NSA No 06- one 17 Aes 2006. 
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Obama did not call for any concrete proposals, particularly regarding the prohibition 
of mass surveillance activities and the introduction of administrative and judicial 
redress for non-US persons; 


Legal framework 
Fundamental rights 


ER. whereas the report on the findings by the EU Co-Chairs of the ad hoc EU-US Working 
Group on data protection provides for an overview of the legal situation in the US, but 
has net-helped-suffieiently-with-establishingfailed to establish the facts about US 
surveillance programmes; whereas no information has been made available about the 
so-called *second track’ Working Group, under which Member States discuss 
bilaterally with the US authorities matters related to national security; 


MS. whereas fundamentalrights, notably freedom of expression, of the press, of thought, | 
of conscience, of religion and of association, private life, data protection, as well as 
the right to an effective remedy, the presumption of innocence and the right to a fair 
trial and non-discrimination, as enshrined in the Charter enof Fundamental Rightsof | 
the European Union and in the European Convention on Human Rights, are 
cornerstones of democracy; whereas mass surveillance of human beings is 


incompatible with these cornerstones; 


T. whereas in all Member States the law protects from disclosure information 
communicated in confidence between law yer and client, a principle which has been . . 
recognised by the European Court of Justice : 


U. whereas in its resolution of 23 October 2013 on organised crime, corruption and 
money laundering Parliament called on the Commission to submit a legislative - 
proposal establishing an effective and comprehensive European whistleblower 
protection programme in order to protect EU financial interests and furthermore 


conduct an examination on whether such future legislation should also cover other 
fields of Union competence; 





Union competences in the field of security 


NV. whereas according to Article 67(3) TFEU the EU ‘shall endeavour to ensurea high . 
level of security’; whereasthe provisions of the Treaty (in particular Article 4(2) 
T EU, Article 72 TFEU and Article 73 TFEU) imply that the EU dispeses-efpossesses 
certain competences on matters relating to the collective external security of the 
Union; whereas the EU has exereisedcompetence in matters of internal security 
(Article 4G) TFEU) and has exercised this competence by deciding on a number of 
legislative instruments and concluding international agreements.(PNR, TFTP) aimed 
at fighting serious crime and terrorism, and by setting up an internal security strategy | 
and agencies working in this field; LUE 





mmunities . | 
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OW. whereas the Treaty on the Functioning of the European Union states that ‘it shall be 
open to Member States to organise between themselves and under their responsibility 
such forms of cooperation and coordination as they deem appropriate between the 
competent departments of their administrations responsible for safeguarding national 
security’ (Article 73 TFEU): 


X. whereas Article 276 TFEU states that ‘in exercising its powers regarding the 
provisions of Chapters 4 and 5 of Title V of Part Three relating to the area of freedom, 
security and justice, the Court of Justice of the European Union shall have no 
jurisdiction to review the validity or proportionality of operations carried out by the 
police or other law enforcement services of a Member State or the exercise of the | 
responsibilities incumbent upon Member States with regard to the maintenance of law 
and order and the safeguarding of internal security’: 


Ya whereas the concepts of ‘national security’, ‘internal security’, ‘internal security of the 
EU’ and ‘international security’ overlap; whereas the Vienna Convention on the Law 
of Treaties, the principle of sincere cooperation among EU Member States and the 
human rights law principle of interpreting any exemptions narrowly point towards a 
restrictive interpretation of the notion of ‘national security’ and require that Member 
States refrain from encroaching upon EU competences; 


P——-whereas-anderZ. whereas the European Treaties confer on the European 


Commission the role of the ‘Guardian of the Treaties’. and it is therefore the legal 


responsibility of the Commission to investigate any potential breaches of EU law; 


AA. whereas, in accordance with Article 6 TEU, referring to the EU Charter of 
Fundamental Rights and the ECHR, Member States” agencies and even private parties 
acting in the field of national security also have to respect the rights enshrined therein, 


be nn of nero own citizens or ae citizens a ober en 











QExtraterritoriality 


AB. | whereas the extra-territezialextraterritorial application by a third country of its laws, 
regulations and other legislative or executive instruments in situations falling under 
the jurisdiction of the EU or its Member States may impact on the established legal 
order and the rule of law, or even violate international or EU law, including the rights 
of natural and legal persons, taking into account the extent and the declared or actual 
aim of such an application; whereas, in these exceptienal circumstances, it is 
necessary to take action at the-EUUnion level to ensure that the EU values enshrined 
in Article 2 TEU, the Charter of Fundamental Rights. the ECHR referring to 
fundamental rights, democracy and the rule of law, and therights of natural and legal 


persons as enshrined in secondary legislation applying these fundamental principles, 
are respected within the EU, in-partieuJarfor example by removing, neutralising, 


blocking or otherwise countering the effects of the foreign legislation concerned; 


AN 
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International transfers of data 


RAC. whereas the transfer of personal data by EU institutions, bodies, offices or agencies or | 
by the Member States to the US for law enforcement purposes in the absence of . 
adequate safeguards and protections for therespect of the fundamental rights of EU | 
citizens, in particular the rights to privacy and the protection of personal data, would 
make that EU institution, body, office or agency or that Member State liable, under 
Article 340 TFEU or the established case law of the CJEU!, for breach of EU law — 
which includes any violation of the fundamental rights enshrined in the EU Charter; 


AD. whereas the transfer of data is not geographically limited, and, especially in a context 
of increasing globalisation and worldwide communication, the EU legislator is 
confronted with new challenges in terms of protecting personal data and 
communications; whereas it is therefore of the utmost importance to foster legal 


frameworks on common standards: 





AE. whereas the mass collection of personal data for commercial purposes and in the fight 
against terror and serious transnational crime puts at risk the personal data and privacy 


riehts of EU citizens: 





Transfers to the US based on the US Safe Harbour 


SAF. whereas the US data protection legal framework does not ensurean adequatelevelof | 
protection for EU citizens; 


TAG. whereas, in order to enable EU data controllers to transfer personal data to an entity in | 
the US, the Commission, in its Decision 520/2000, has declared the adequacy of the 
protection provided by the Safe Harbour privacy principles and the related FAQs 
issued by the US Department of Commerce for personal data transferred from the 
Union to organisations established in the United-StatesUS that have joined the Safe | 
Harbour; 


BAH. whereas in its resolution of 5 July 2000 the-Eurepean-Parliament expressed doubts and 
concerns as to the adequacy of the Safe Harbour, and called on the Commission to 
review the decision in good time, in the light of experience and of any legislative 
developments; 


AL |  Vwhereasin Parliament's working document 4 on US Surveillance activities with 
respect to EU data and its possible legal implications on transatlantic agreements and 
cooperation of 12 December 2013, the rapporteurs expressed doubts and concerns as 
tothe adequacy of Safe Harbour and called on the Commission to repeal the decision 
on the adequacy of Safe Harbour and to find new legal solutions; 


whereas Commission Decision 520/2000 stipulates that the competent authorities in 
Member States may exercise their existing powers to suspend data flows to an 
organisation that has self-certified its adherence to the Safe Harbour principles, in 
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order to protect individuals with regard to the processing of their personal data in 
cases where there is a substantial likelihood that the Safe Harbour principles are being 
violated or that the continuing transfer would create an imminent risk of grave harm to 
data subjects; 


| WAK. whereas Commission Decision 520/2000 also states that whenwhere evidence has 
been provided that anybody responsible for ensuring compliance with the pririciples is 
not effectively fulfilling their role, the Commission must informthe US Department of 
Commerce and, if necessary, present measures with a view to reversing or suspending 
the said Decision or limiting its scope; l 


XAL. whereas in its first two reports on the implementation of the Safe Harbour, efpublished 
in 2002 and 2004, the Commission identified several deficiencies as regards the proper 
implementation of the Safe Harbour and made severala number of recommendations 
e to the US authorities with a view to rectifying themthose deficiencies; 


¥AM. whereas in its third implementation report, of 27 November 2013, nine years after the 
second report and without any of the deficiencies recognised in that report having been 
rectified, the Commission identified further wide-ranging weaknesses and 
shortcomings in the Safe Harbour and concluded that the current implementation 
could not be maintained; whereas the Commission has stressed that wide-ranging 
access by US intelligence agencies to data transferred to the US by 
Safe- Harbour-certified entities raises additional serious questions as to the continuity 
of protection of the data of EU data subjects; whereas the Commission addressed 13 
recommendations to the US authorities and undertook to identify by summer 2014, 
together with the US authorities, remedies to be implemented as soon as possible, 
forming the basis for a full review of the functioning of the Safe Harbour principles; 


Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) temet in 
Washington D.C.-met with the US Department of Commerce and the US Federal 
Trade Commission; whereas the Department of Commerce acknowledged the 
existence of organisations having self-certified adherenceto Safe Harbour Principles 
but clearly showing a ‘not-current status’, meaning that the company does not fulfil 
Safe Harbour requirements although continuing to receive personal data from the EU; 
whereas the Federal Trade Commission admitted that the Safe Harbour should be 
reviewed in order to improve it, particularly with regard to complaints and alternative 
dispute resolution systems; 


| ZAN. whereas on 28-31 October 2013 thea delegation ofthe European Parliament’s 


AAAO. whereas Safe Harbour Principles may be limited +te'to the extent nec essary to 
meet national security, public interest, or law enforcement requirements'requirements'; 
whereas, as an exception to a fundamental right, such an exception must alw ays be 
interpreted restrictively and be limited to what is necessary and proportionate in a 
democratic society, and the law must clearly establish the conditions and safeguards to 
make this limitation legitimate; whereas the scope of application of such exception 
should have been clarified by the US and the EU. notably by the Commission. to avoid 
any interpretation or implementation that nullifies in substance the fundamental right 
to privacy and data protection, among others: whereas. consequently, such an. 
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exception should not be used in a way that undermines or nullifies the protection 
afforded by Charter of Fundamental Rights, the ECHR, the EU data protection law 


and the Safe Harbour principles; insists that if the national security exception is 
invoked, it must be specified under which national law; 


ABAP. whereas large-scale access by US intelligence agencies has seriously eroded 
transatlantic trust and negatively impacted on the-trust feras regards US organisations 
acting in the EU; whereas this is further exacerbated by the lack of judicial and 
administrative redress for EU citizens under US law, particularly in cases of 
surveillance activities for intelligence purposes; 


‚Transfers to third countries with the adequacy decision _____.....______________|-.„(Formatiert: Schrtar: rt 


ACAO. whereas according to the information revealed and to the findings of the +1] Formatiert: Einzug: Links: 0 cm, 
inquiry conducted by the LIBE Committee, the national security agencies of New Hangend: 1,27 cm 
Zealand-and, Canada and Australia have been involved on a large scale in mass 
surveillance of electronic communications and have actively cooperated with the US 
under the so- called ‘Five eyes-Eyes’ programme, and may have exchanged with each | 
other personal data of EU citizens transferred from the EU; 






AÐAR. whereas Commission Decisions 2013/65! and 2/2002 of 20 December 2001? 
have declared the adequate-levellevels of protection ensured by, respectively, the New 
Zealand Privacy Áct and the Canadian Personal Information Protection and Electronic 
Documents Act to be adequate ; whereas the aforementioned revelations also seriously 
affect trust in the legal systems of these countries as regards the continuity of 
protection afforded to EU citizens; whereas the Commission has not examined this 
aspect; 


Transfers based on contractual clauses and other instruments 


AEAS. whereas Directive 95/46/EC provides that international transfers to a third country | 
may also take place by means of specific instruments whereby the controller adduces 
adequate safeguards with respect to the protection of the privacy and fundamental - 
rights and freedoms of individuals and as regards the exercise of the corresponding 


rights; 
AFAT. whereas such safeguards may in particular result from appropriate contractual clauses; 


AGAU. whereas Directive 95/46/EC empowersthe Commission to decide that specific 
standard contractual clauses offer sufficient safeguards required by the Directive, and 
whereas on this basis the Commission has adopted three models of standard 
contractual clauses for transfers to controllers and processors (and sub-processors) in 
third countries; 


AHAV. whereas the Commission Decisions establishing the standard contractual | 
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clauses stipulate that the competent authorities in Member States may exercise their 
existing powers to suspend data flows »benwhere it is established that the law to 
which the data importer or a sub-processor is subject imposes upon them requirements 
to derogate from the applicable data protection law which go beyond the restrictions 
necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC, 
where those requirements are likely to have a substantial adverse effect on the 
guarantees provided by the applicable data protection law and the standard contractual 
clauses, or where there is a substantial likelihood that the standard contractual clauses 
in the annex are not being or will not be complied with and the continuing transfer 
would create an imminent risk of grave harm to the data subjects; 





| AW al whereas national data protection authorities have developed binding 
corporate rules (BCRs) in order to facilitate international transfers within a 
multinational corporation with adequate safeguards with respect to the protection of 
; the privacy and fundamental rights and freedoms of individuals and as regards the 
e l exercise of the corresponding rights; whereas before being used, BCRs need to be 
authorised by the Member States’ competent authorities after the latter have assessed 
compliance with Union data protection law; whereas BCRs for data processors have 


been rejected in the LIBE Committee report on the General Data Protection 
Regulation, as they would leave the data controller and the data subject without any 
control over the jurisdiction in which their data is processed; 


AX. whereas the European Parliament, given its competence stipulated by Article 218 
TFEU, has the responsibility to continuously monitor the value of international 
agreements it has given its consent to; 


Transfers based on TFTP and PNR agreements 


| AL— AY.  whereasinits resolution of 23 October 2013 the-European-Parliament 
expressed serious concerns abeutover the revelations concerning the NSA’s activities 
as regards direct access to financial payments messages and related data, which would 
constitute a clear breach of the TFTP Agreement, and in particular Article 1 thereof; 


AZ. whereas terrorist finance tracking is an essential tool in 


the fight against terrorism financing and serious crime, allow ing counterterrorism 
En investigators to discover links between targets of investigation and other potential 
e suspects connected with wider terrorist networks suspected of financing terrorism; 


BA. | whereas Parliament asked the Commission to suspend the Agreement and requested 
that all relevant information and documents be made available immediately for 
Parliament' s deliberations; whereas the Commission has done neither: 








| AEBB. whereas following the allegations published by the media, the Commission decided to 
open consultations with the US pursuant to Article 19 of the TFTP Agreement; 
whereas on 27 November 2013 Commissioner Malmstróm informed the LIBE 
Committee that, after meeting US authorities and in view ofthe replies given by the 
US authorities in their letters and during their meetings, the Commission had decided 
not to pursue the consultations on the grounds that there were no elements showing 
that the US Government has acted in a manner contrary to the provisions of the 
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Agreement, and that the US has provided written assurance that no direct data 
collection has taken place contrary to the provisions of the TFTP agreement; whereas 


it is not clear whether the US authorities have circumvented the Agreement by 


accessing such data through other means, as indicated in the letter of 18 September 
2013 from the US authorities!: 





AMBC. whereas during the-LIBE-delegatienits visit to Washington of 28-31 October 
2013 the LIBE delegation met with the US Department of the Treasury; whereas the 
US Treasury stated that since the entry into force of the TFTP Agreement it had not 
had access to data from SWIFT in the EU except within the framework of the TFTP; 
whereas the US Treasury refused to comment on whether SWIFT data would have 
been accessed outside TFTP by any other US government body or department or 
whether the US administration was aware of NSA mass surveillance activities; 
whereas on 18 December 2013 Mr Glenn Greenwald stated before the inquiry held by 
the LIBE Committeeinquiry that the NSA and GCHQ had targeted SWIFT networks; 


ANBD. whereas the Belgian and DutehDataProtectionNetherlands data protection 
authorities decided on 13 November 2013 to conduct ajoint investigation into the . 
security of SWIFT ’s payment networks in order to ascertain whether third parties 
could gain unauthorised or unlawful access to European citizens’ bank data’: 


AOBE. whereas according to the Joint Review of the EU-US PNR agreement, the United 
StatesUS Department of Homeland Security (DHS) made 23 disclosures of PNR data 
to the NSA on a case-by-case basis in support of counterterrorism cases, in a manner 
consistent with the specific terms of the Agreement; 


APBF. whereas the Joint Review fails to mention the fact that in the case of processing of | 
personal data for intelligence purposes, under US law, non-US citizens do not enjoy 
any judicial or administrative avenue to protect their rights, and constitutional 
protections are only granted to US persons; whereas this lack of judicial or 
administrative rights nullifies the protections for EU citizens laid down in the existing 
PNR agreement; 


Transfers based on the EU-US Mutual Legal Assistance Agreement in criminal matters 


BG. whereas the EU-US Agreement on mutual legal assistance in criminal matters | 
of 6 June 2003? entered into force on 1 February 2010 and is intended to facilitate 
cooperation between the EU and the US to combat crime in a more effective way, | 
having due regard for the rights of individuals and the rule of law; 


Framework agreement on data protection in the field of police and judicial cooperation 





ro regulat w enforcement, diplomatic and intelligence c as well as Sth ugh exchanges wi 


foreign partners’ and that ‘the US Government is using the TFTP to obtain SWIFT datathat we do not obtain 


from other sources’ 
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(‘umbrella agreement’) 


ARBH. whereas the purpose of this general agreement is to establish the legal 
framework for all transfers of personal data betw.een the EU and US for the sole 
purposes of preventing, investigating, detecting or prosecuting criminal offences, 





including terrorism, in the framew ork of police and judicial cooperation in criminal 


facilitate data transfer in the context of police and judicial cooperation and in criminal 


matters; 


ASBI. whereas this agreement should provide for clear and precise and legally binding data— 
processing principles, and should in particular recognise EU eitizens*citizens' right to 
judicial access; to and rectification and erasure of their personal data in the US, as well 
as the right to an efficient administrative and judicial redress mechanism for EU 
citizens in the US and independent oversight of the data-processing activities; 





A-FBJ. whereas in its Cemmunicatiencommunication of 27 November 2013 the Commission 
indicated that the ‘umbrella agreement’ should result in a high level of protection for 
citizens on both sides of the Atlantic and should strengthen the trust of Europeans in 
EU-US data exchanges, providing a basis on which to develop EU-US security 
cooperation and partnership further; 


AUBK. Whereas negotiations on the agreement have not progressed because of the US 
Government's persistent position of refusing recognition of effective rights of 
administrative and judicial redress to EU citizens and because of the intention of 
providing broad derogations to the data protection principles contained in the 
agreement, such as purpose limitation, data retention or onward transfers either 
domestically or abroad; 


Data Pretection-Refermprotection reform 


A-VBL. whereas the EU data protection legal framework is currently being reviewed in order 
to establish a comprehensive, consistent, modern and robust system for all data- 
processing activities in the Union; whereas in January 2012 the Commission presented 
a package of legislative proposals: a General Data Protection Regulation’, which will 
replace Directive 95/46/EC and establish a uniform law throughout the EU, and a 
Directive? which willlay down a harmonised framework for all data processing 
activities by law enforcement authorities for law enforcement purposes and will 
reduce the current divergences among national laws; 


AWBM. whereas on 21 October 2013 the LIBE Committee adopted its legislative 
reports on the two proposals and a decision on the opening of negotiations with the 
Council with a view to having the legal instruments adopted during this legislative 
term; : 
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AXBN. whereas, although the European Council of 24/25 October 2013 called for the | 
timely adoption of a strong EU General Data Protection framework in order to foster 
the trust of citizens and businesses in the digital economy, after two years of 
deliberations the Council has still been unable to arrive at a general approach on the 


General Data Protection Regulation and the Directive! OC PARRA T A Formatiert: Nicht Hochgestellt/ 
Tiefgestelit 


IT security and cloud computing 


AYBO. whereas theParliament's resolution of 10 December 2013? emphasises the 
economic potential of ‘cloud computing’ business for growth and employment; 
whereas the overall economic value of the cloud market is forecast to be worth USD 


207 billion a year by 2016. or twice its value in 2012; 


AZBP. whereas the level of data protection in a cloud computing environment must not be 
inferior to that required in any other data-processing context; whereas Union data 
protection law, since it is technologically Beutel, already applies fully to cloud 
computing services operating in the EU; 


BABO. whereas mass surveillance activities give intelligence agencies access to 
personal data stored or otherwise processed by EU individuals under cloud services 
agreements with major US cloud providers; whereas the US intelligence authorities 
have accessed personal data stored or otherwise processed in servers located on EU 
soil by tapping into the internal networks of Yahoo and Google"; whereas such 
activities constitute a violation of international obligations and of European 


fundamental rights standards including the right to private and family life, the 
confidentiality of communications, the presumption of innocence, freedom of 
expression, freedom of information, freedom of assembly and association and the 


freedom to conduct business: whereas it is not excluded that information storedi n 





cloud services by Member States’ public authorities or un undertakings and institutions 
has also been accessed by intelligence authorities; 


BR. whereas US intelligence agencies have a policy of systematically undermining 





1 Formatiert: Schriftart: Fett, Kursiv 


cryptographic protocols and products in order to be able to interc ept even encrypted 
communication: whereas the US National Security Agency has collected vast numbers 
of so called ‘zero-day exploits’ — IT security vulnerabilities that are not yet knownto 
the public or the product vendor; whereas such activities massively undermine global 


efforts to improve IT security; 


BS. whereas the fact that intelligence agencies have accessed personal data of users of : 
online services has severely distorted the trust of citizens in such services. and 
therefore has an adverse effect on businesses investing in the development of new 
services using ‘Big Data’ and new applications such as the ‘Internet of Things’; 
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BT. whereas IT vendors often deliver products that have not been properly tested for IT 


security or that even sometimes have backdoors implanted purposefully by the vendor; 
whereas the lack of liability rules for software vendors has led to such a situation, 


which is in turn exploited by intelligence agencies but also leaves open therisk of 
attacks by other entities; 


BU. _ whereas it is essential for companies providing such new services and applications to 


respect the data protection rules and privacy ofthe data subjects whose data are 
collected, processed and analysed, in order to maintain a high level of trust among 


citizens; 





Democratic oversight of intelligence services 


BBBV. whereas intelligence services perferm-enimpertant funetien-in protecting democratic 


BCBW. 


societies are given special powers and capabilities to protect fundamental 
rights, democracy and the rule of law, citizens' rights and the State against internal and 
external threats, and are subject to democratic accountability and judicial oversight; 


whereas they are given special powers and capabilities only to this end; whereas these 
powers ereteshould be used within the rule-ef law. legal limits imposed by 
fundamental rights, democracy and the rule of law and their application should be 
strictly scrutinised, as otherwise they risktesinglose legitimacy and eredine the 
democratic-nature of secietyrisk undermining democracy; 


or exclude rules on democratic and judicial scrutiny and examination of their 


activities. as well as on transparency, notably in relation to the respect of fundamental 
rights and the rule of law, all of which are cornerstones in a democratic society; 





BEBX. 


BEBY. 


whereas most of the existing national oversight mechanisms and bodies were set up or 
revamped in the 1990s and have not necessarily been adapted to therapid political and 
technological developments over the last decade that have led to increased 


international intelligence cooperation, also through the large scale exchange of 
personal data, and often blurring the line between intelligence and law enforcement 


activities: 





whereas democratic oversight of intelligence activities is still _only conducted at 
national level, despite the increase in exchange of information between EU Member 
States and between Member States and third countries; whereas there is an increasing 
gap between the level of international cooperation on the one hand and oversight 
capacities limited to the national level on the other, which results in insufficient and 
ineffective democratic scrutiny; 
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BZ. whereas national oversight bodies often do not have full access to intelligence 
received from a foreign intelligence agency, which can lead to gaps in which 
international information exchanges can take place without adequate review; whereas 
this problem is further aggravated by the so-called ‘third party rule’ or the principle of 
‘originator control’, which has been designed to enable originators to maintain control 
over the further dissemination of their sensitive information, but is unfortunately often 
interpreted as applying also to the recipient services' oversight; 


CA. whereas private and public transparency reform initiatives are key to ensuring public 
trust in the activities of intelligence agencies; whereas legal systems should not 
prevent companies from disclosing to the public information about how they handle 
all types of government requests and court orders for access to user data, including the 
possibility of disclosing aggregate information on the number of requests and orders 
approved and rejected; 


Main findings 


l; Considers that recent revelations in the press by whistleblow ers and journalists, 
together with the expert evidence given during this i inquiry, admissions by authorities, 
and the insufficient response to these allegations, have resulted in compelling evidence 
of the existence of far-reaching, complex and highly technologically advanced systems 
designed by US and some Member States-States' intelligence services to collect, store 
and analyse communication arddata, including content data, location data and 
metadata of all citizens around the world, on an unprecedented scale and in an 
indiscriminate and non-suspicion-based manner; 


2: Points specifically to US NSA intelligence programmes allowing for the mass 
surveillance of EU citizens through direct accessto the central servers of leading US 
internet companies (PRISM programme), the analysis of content and metadata: 
(Xkeyscore programme), the circumvention of online encryption (BULLRUN), access 
to computer and telephone networks, and access to location data, as well as to systems 
of the UK intelligence agency GCHQ such as itsthe upstream surveillance activity 


(Tempora programme}ang), the € decryption programme (Edgehill);-believes-that-the 


existenee-of ). the targeted *man-in-the-middle attacks’ on information systems 
( Quantumtheory and F oxacid u... 





and Sweden ER AXihe collects and kon of 200 allio text De per day 
(Dishfire programme); 


3. Notes the allegations of ‘hacking’ or tapping into the Belgacom systems by the UK 
intelligence agency GCHQ; reiteratesnotes the indieatienstatements by Belgacom that _|..---(Formatiert: Schriftart: Fett, Kursiv l 


it could netneither confirm nor deny that EU institutions v were u ta aud. P | Formatiert: Schriftart: Fett, Kursiv 


use fw ould require extensive financial and staffing resources forte developmentand 


use that would not be available to private entities or hackers; 


4. StatesEmphasises that trust has been profoundly shaken: trust between the two 
transatlantic partners, trust amenes EU-Member- States: trustbetween citizens and their 


governments, trust in the functioning of democratic institutions on both sides of the 
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Atlantic, trust in the respect of the rule of law, and trust in the security of IT services 
and communication; believes that in order to rebuild trust in all these dimensions-2, an 


immediate and comprehensive response plan comprising a series of actions which are 
subject to public scrutiny is uzgenthy.needed; 


5. Notes that several governments claim that these mass surveillance programmes are 


necessary to combat terrorism; wheleheartedly-suppertethe-fisht-asainststrongly 
denounces terrorism, but strongly believes that itthe fight against terrorism can never —— .—|Formatiert: Schriftart: Fett, Kursiv 
initself be a justification for untargeted, secret-and sometimes, or even illegal mass 

surveillance programmes; expresses-seneerns-therefere, regardingtakes the legality 

view that such programmes are incompatible with the principles of necessity and 

proportionality efthesepregrammesinademocratic society; — < < "| Fermatiert: Schriftart: 12 Pt. 


6. Recalls the EU's firm belief in theneed to strike the right balance between security 


measures and the protection of civil liberties and fundamental rights, while ensuring 
the utmost respect for privacy and data protection; 


7. Considers it-very-deubtful that data collection of such magnitude is-enly-leaves 
considerable doubts as to whether these actions are guided only by the fight against 


terrorism, assince it involves the collection of all possible data of all citizens; points, 


therefore, to the possible existence of other Bewer-metivessueh-aspurposes including 
political and economic espionage, which need to be comprehensively dispelled; 


Questions the compatibility of some Member States’ massive economic espionage 
activities with the EU internal market and competition law as enshrined in TstleT itles I 
and-Fitle VII of the Treaty on the Functioning of the European Union; reaffirms the 
principle of sincere cooperation as enshrined in Article 4-paragraph(3) of the Treaty 
on European Union-and, as well as the principle thatthe Member States shall ‘refrain 
from any measures which could jeopardise the attainment of the Union’s objectives’; 








d 


| 89. — Notes that international treaties and EU and US legislation, as well as national 
oversight mechanisms, have failed to provide for the necessary checks and balances 
andor for democratic accountability; 


910. Condemns inthestrengestpessibletermsthe vast; and systemic; blanket collection of 
the personal data of innocent people, often eezmprisingincluding intimate personal 
information; emphasises that the systems of mass, indiscriminate mass surveillance by 
intelligence services constitute a serious interference with the fundamental rights of 

| citizens; stresses that privacy is not a luxury right, but that-it-is the foundation stone of 
a free and democratic society; points out, furthermore, that mass surveillance has 
potentially severe effects on the-freedom of the press, thought and speech and on 
freedom of assembly and of association, as well as entailing a significant potential for 
abuseabusive use ofthe information gathered against political adversaries; emphasises 


that these mass surveillance activities appearalso+e entail illegal actions by —  .--(Fermatiert: Schriftart: Fett, Kursiv 


intelligence services and raise questions regarding the e extra 
territerialityextraterritoriality of national laws; 


4911. Considers it crucial that the professional confidentiality privilege of lawyers, 
journalists, doctors and other regulated professions is safeguarded against mass 
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surveillance activities; stresses, in particular, that any uncertainty about the 
confidentiality of communications between lawyers and their clients could negatively 
impact on EU citizens' right of accessto legal advice and accessto justice and the 


right to a fair trial: 


IS 


Sees the surveillance programmes as yet another step towards the establishment of a 
fully—fledged preventive state, changing the established paradigm of criminal law in 


democratic societies whereby any interference with suspects' fundamental rights has to 
be authorised by a judge or prosecutor on the basis of a reasonable suspicion and must 


be regulated by law, promoting instead a mix of law enforcement and intelligence 
activities with blurred and weakened legal safeguards, often not in line with 
democratic checks and balances and fundamental rights, especially the presumption of 
innocence; recalls in thatthis regard the decision of the German Federal Constitutional 


not suffice to justify such measures; 


413. Is adamentconvinced that secret law s-treaties and courts violate the rule of law; points | ^| Formatiert: Schriftart: Fett 


out that any judgment of a court or tribunal and any decision of an administrative 


authority of a non-EU state authorising, directly or indirectly, surveillanceaetivities | .—(Formatiert: Schriftart: Fett, Kursiv 




















manner unless there is a mutual legal assistance treaty or an international agreement in 
force between the requesting third country and the Union or a Member State and a 
prior authorisation by the competent supervisory authority; recalls that any judgment 
of a secret court or tribunal and any decision of an administrative authority of a non- 
EU state secretly authorising, directly or indirectly, surveillance activities shall not be 


recognised or enforced; 


4214. Points out that the abovementioned concerns are exacerbated by rapid technological 
and societal developments;-eensiders-that, since internet and mobile devices are 
everywhere in modern daily life (‘ubiquitous computing’) and the business model of 
most internet companies is based on the processing of personal data-e£al-kinds; 


considers that „the scale of this problem is ee Formatiert: Schriftart: Fett, Kursiv 









unprecedented; notes that this may create a situation where infrastructure for the mass 
collection and processing of data could be misused in cases of change of political : 


regime; 






CELL 4) - stave 
= > tro = = = =, 


eH Py, e SETH cu B 
‚Notes that there is no guarantee, either for EU public institutions or for 
citizens, that their IT security or privacy can be protected from intrusienattacks by 
well-equipped third countries-or EU intelligence asenciesintruders (‘no 100 96 IT 
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security’), notes that thiselermi HER i jeve — 4 Formatiert: Schriftart: Fett, Kursiv 


maximum IT security, Europeans areneed need to be o be willing to dedicate sufficient 7| Formatiert: Schriftart: Fett, Kursiv 


resources, both human and financial, to preserving Europe's independence and self- 
reliance in the field of IT; 








1416. Strongly rejects the notion that theseall issues related to mass surveillance 
; programmes are purely a matter of national security and therefore the sole competence 


of Member States; reiterates that Member States must fully respect EU law and the 


ECHR while acting to ensure their national sec urity; recalls arecent ruling of the 
Court of Justice according to which ‘although it is for Member States to take the 


appropriate measures to ensure their internal and external security, the mere fact that a 
decision concerns State security cannot result in European Union law being 


inapplicable': ; recalls further that the protection of the privacy o ofall EU citizensis at _.--| Formatiert: Fußnotenzeichen 





stake, as are Ihe secun security and reliability of all EU communication networks; believes, 
e therefore, that discussion and action at EU level isare not only legitimate, but also a 


matter of EU autonomy-and-severeienty; 


1517. Commends the current discussions, inquiries and reviews concerning the subject of 
this inquiry in several parts of the world, including through the support of civil 
society; points to the Global Government Surveillance Reform signed up to by the 
werld’sworld's leading technology companies-xehieh-ealls calling for sweeping 
changes to national surveillance laws, including an international ban on bulk 
collection of data, to help preserve the publie>spublic's trust in the internet and in their 


businesses; points tothe calls made by hundreds of leading academics’, civil society 
organisations? and 562 international authors, including five Nobel laureates, for an end 


to mass surveillance; notes with great interest the recommendations published recently 
by the US President^sPresident's Review Group on Intelligence and Communications 


Technologies and the Privacy and Civil Liberties Oversight Board Report on the 
Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act 
and on the Operations of the Foreign Intelligence Surveillance Court’; strongly urges 


governments to take these calls and recommendations fully into account and to 
overhaul their national frameworks for thetheir intelligence services in order to 
implement appropriate safeguards and oversight; 





$ 


Commends the institutions and experts who have contributed to this inquiryInquiry; 
deplores the fact that several Member States’ authorities have declined to cooperate 

e with the inquiry the European Parliament has been conducting on behalf of citizens; 

welcomes the openness of several Members of Congress and of national parliaments; 


| 3219. Is aware that in such a limited timeframe it has been possible to conduct only a 
preliminary investigation of all the issues at stake since July 2013; recognises both the 
scale of the revelations involved and their ongoing nature; adopts, therefore, a 


-| Formatiert: F u6notenzeichen 
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forward-planning approach consisting in a set of specific proposals and a mechanism 
for follow-up action in the next parliamentary term, ensuring the findings remain high 
on the EU political agenda; 


do 
t2 
e 


Intends to request strong political undertakings from the Eurepeannew Commission 
tewhich will be designated after the May 2014 European clections to the effect that it 
will implement the proposals and recommendations of this Inquiry; expects 
adequatean appropriate level of commitment from the candidates in the upcoming 
parliamentary hearings for thenew Commissioners; 





Recommendations 


1921. Calls on theUS authorities and the EU Member States, where this is not yet the case, 
to prohibit blanket mass surveillance activities-and-bulk-presessing-efpersenaldata; 


e l 2022. Calls on eertaisthe EU Member States, inehsdingiheUK-Germany-Franee, 
Swederandin particular those participating in the so-called ‘9-eyes’ and the 
Netherlands‘ 14-eyes’ programmes! to c comprehensively evaluate, and revise where 
necessary, their national legislation and practices governing the activities of the 
intelligence services so as to ensure that they are subject to parliamentary and judicial 
oversight and public scrutiny, that they respect the principles of legality, necessity, 
proportionality, due process, user notification and transparency, including by reference 
tothe UN compilation of good practices and therecommendations of the Venice 


Commission, and that they are in line with the standards of the European Convention 
on Human Rights and comply with their Member States! fundamental rights 
obligations, in particular as regards data protection, privacy, and the presumption of 
innocence; 


23. Calls on all EU Member States and in particular, with regard to its Resolution of 4 
July 2013 and Inquiry Hearings, the United Kingdom, France, Germany, Sweden, the 
Netherlands and Poland to ensure that their current or future Jegislative frameworks 
and oversight mechanisms governing the activities of intelligence agencies are in line 
with the standards of the European Convention on Human Rights and European Union 
data protection legislation; calls on these Member States to clarify the allegations of i 
mass surveillance activities, including mäss surveillance of cross border 


© telecommunications, untargeted surveillance on cable-bound communications 
otential agreements between intelligence services and telecommunication companies 


as regards access and exchange of personal data and access to transatlantic cables. US 
intelligence personnel and equipment on EU territory without oversight on 
surveillance operations, and their compatibility with EU legislation: invites the 
national parliaments of those countries to intensify cooperation of their intelligence 
oversight bodies at European level; 














24. _ Calls on the United Kingdom, in particular, given the extensive media reports 





! The “9-eves programme’ comprises the US. the UK, C anada, Australia, New Zealand, Denmark, France, 
N the Netherlands; the ‘1 ny 
Italy, Spain and Sweden. i 
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referring to mass surveillance inthe UK would emphasise thatthe by the intelligence 
service GCHO, to revise its current legal framework, which is made up of a “complex 

interaction" complex interaction' between three separate pieces of legislation — the 

Human Rights Act 1998, the Intelligence Services Act 1994 and the Regulation of 


Investigatory Powers Act 2000—sheuld be revised: 1 L| Formatiert: Muster: Transparent | 


2125. Takes note of the review of the Dutch Intelligence and Security Act 2002 (report by 
the Dessens Commission of 2 December 2013): supports those recommendations of 
the review commission which aim to strengthen the transparency, control and 
oversight of the Dutch intelligence services: calls on the Netherlands to refrain from 
extending the powers of the intelligence services in sucha way as to enable untargeted 
and large-scale surveillance also to be performed on cable-bound communications of 
innocent citizens, especially given the fact that one of the biggest Internet Exchange 
Points in the world is located in Amsterdam (AMS-IX); calls for caution in defining 


e the mandate and capabilities of the new Joint Sieint Cyber Unit, as well as for caution 
regarding the presence and o eration of US intelligence personnel on Dutch territorv: 











26. Calls on the Member States, including when represented by their intelligence agencies, 


to refrain from accepting data from third states which have been collected unlaw fully 
and from allowing surveillance activities on their territory by third states’ governments 
or agencies which are unlawful under national law or do not meet the legal safeguards 
enshrined in international or EU instruments, including the protection of Human 

| Raghtshuman rights under the T EU, the ECHR and the EU Charter of Fundamental 
Rights; 


| 2227. Calls on the Member States immediately to fulfil their positive obligation under the 
European Convention on Human Rights to protect their citizens from surveillance 
contrary to its requirements, including when the aim thereof is to safeguard national 

| security, undertaken by third states or by their own intelligence services, and to ensure 
that the rule of law is not weakened as a result of extraterritorial application of a third 


eeuntrey scountry's law; 


Invites the Secretary- General of the Council of Europe to launch the Article 52 
procedure according to which ‘on receipt of a request from the Secretary- General of 
the Council of Europe any High Contracting Party shall furnish an explanation of the 
manner in which its internal law ensures the effective implementation of any of the 
e provisions of the Convention’; 


b 


| 2429. Calls on Member States to take appropriate action immediately, including court action, 

against the breach of their sovereignty, and thereby the violation of general public 
international law, perpetrated through the mass surveillance programmes; calls further 

| on EU-Member States to make use of all available international measures to defend 
EU citizens’ fundamental rights, notably by triggering the inter-state complaint 
procedure under Article 41 of the International Covenant o on Civil and Political Rights 
(ICCPR); 


| 2530. Calls on the US to revise its legislation without delay in order to bring it into line with 
international law, to recognise the privacy and other rights of EU citizens, to provide 


| for judicial redress for EU citizens, to put rights of EU citizens on an equal footing 
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with rights of US citizens, and to sign the AdeitieralOptional Protocolallowingfor |]. 
complaints by individuals under the ICCPR; 


„cr Ba PDDPDORe MH 454 ii protecelerauida e4631. 
Welcomes. in this ed ihe ae die and the Presidential Policy 
Directive issued by US President Obama on 17 January 2014, asa steptowards 
limiting authorisation ofthe use of surveillance and data processing to national 
security purposes and towards equal treatment of all individuals' persona! information, 
regardless of their nationality or residence, by the US intelligence community: awaits, 
how ever, in the context of the EU-US relationship, further specific steps which will, 
most importantly, strengthen trust in transatlantic data transfers and provide for 


binding guarantees for enforceable privacy rights of EU citizens. as outlined in detail 
in this report; 






32. Stresses its serious concerns in relation to the work within the Council of 





EurepeEurope's Cybercrime Convention Committee on the interpretation of Article 32 
of the Convention on Cybercrime of 23 November 2001 (Budapest Convention) on 
which-could provide for alegitimisation of 


transborda access to stored usce eua 





* 


f: 3 g g g 

thiswith consent or where publicly available, and opposes any conclusion of an 
additional protocol or guidanceintended to broaden the scope of this provision beyond 
the current regime established by this Convention, which is already a major exception 

to the principle of territoriality because it could result in unfettered remote access by 
law enforcement authorities to servers and computers located in other jurisdictions and 
would bein-confictwithwithout recourse to MLA agreements and other instruments 
of judicial cooperation put in place to guarantee the fundamental rights ofthe : 
individual, including data protection and due process, and in particular Council of 


Europe Convention 108; 


2733. Calls on the Commission to carry out, before July 2014, an assessment ofthe 
applicability of Regulation (EC) No 2271/96 to cases of conflict of laws feron 
transfers of personal data; 


34. Calls on the Fundamental Rights Agency to undertake in-depth research onthe 
protection of fundamental rights in the context of surveillance. and in particular on the 


current legal situation of EU citizens with regard to the judicial remedies available to 
them in relation to those practices: 


International transfers of data 
US data protection legal framework and US Safe Harbour 


2835. Notes that the companies identified by media revelations as being involved in the | 
large-scale mass surveillance of EU data subjects by the US NSA are companies that 
have self-certified their adherenceto the Safe Harbour, and that the Safe Harbour is 
the legal instrument used for thetransfer of EU personal datato the US ( examples 
being Google, Microsoft, Yahoo!, Facebook, Apple: and LinkedIn); expresses its 
concerns es-the-faetthat these organisations admitted-thatthey-dehave not 
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eneryptencrypted information and communications flowing between their data centres, 
thereby enabling intelligence services to intercept information*;; welcomes the 


subsequent statements by some US companies that they will accelerate plans to 
implement encryption of data flows between their global data centres; 


2936. Considers that large-scale access by US intelligence agencies to EU personal data 
processed by Safe Harbour does not per-se-meet the criteria for derogation under 
“national security’; 





3037. Takes the view that, as under the current circumstances the Safe Harbour prn do 
not provide adequate protection for EU citizens, thesetransfers should be carried out 
under other instruments, such as contractual clauses or BCRs-setting, provided these 
instruments set out specific safeguards and protections and are not circumvented by 


other legal frameworks; 


3438. Takesthe view that the Commission has failed. to act toremedy the well-known 
deficiencies of the current implementation of Safe Harbour; 


39. Calls on the Commission to present measures providing for the immediate suspension 
of Commission Decision 520/2000, which declared the adequacy of the Safe Harbour 
privacy principles, and of the related FAQs issued by the US Department of 


Commerce; calls on the US authorities, therefore, to put forward a proposal for a new 
framework for transfers of personal data from the EU to the US which meets Union 
law data protection requirements and provides for the required adequate level of 


protection; 


3240. Calls on Member States’ competent authorities, aamelyin particular the data protection 
~ authorities, to make use of their existing powers and immediately suspend data flows 
to any organisation that has self-certified its adherence to the US Safe Harbour 
Principles, and to require that such data flows are only carried out under other 
instruments; and provided they contain the necessary safeguards and _ 
preteetiensguarantees with respect to the protection of the privacy and fundamental 
rights and freedoms of individuals; 


| 41. Calls on the Commission to present, by JuneDecember 2014, a comprehensive 
assessment of the US privacy framework covermg commercial, law enforcement and’ 
intelligence activities-ig-r £ 
-edri , and concrete recommendations based on the 
absence of a general data protection law inthe US: encourages the Commission to 
engage with the US administration in order to establish a legal framework providing 
for a high level of protection of individuals with regard to the protection of their 


personal data when transferred to the US and ensure the equivalence of EU and US 
privacy frameworks; : . 





Transfers to other third countries with adequacy decision 


| +z Washi i P st, 341-Oct i 2043- 
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3442. Recalls that Directive 95/46/EC stipulates that transfers of personal datato athird | 
country may take place only if, without prejudice to compliance with the national 
provisions adopted pursuant to the other provisions of the Directive, the third country 
in question ensures an adequate level of protection, the purpose of this provision being 
to ensure the continuity of the protection afforded by EU data protection law where 
personal data are transferred outside the EU; ` . 


is 
bs 


. Recalls that Directive 95/46/EC also provides that the adequacy of the level of | 
protection afforded by a third country is to be assessed in the light of all the 
circumstances surrounding a data transfer operation or set of datatransfersuch 
operations; recalls likewise-xeealls that the said Directive also equips the Commission 
with implementing powers to declare that a third country ensures an adequate level of 
protection in the light of the criteria laid down by Directive 95/46/EC; whereasrecalls 
that Directive 95/46/EC also empowers the Commission to declare that a third country 
does not ensure an adequate level of protection; 








3644. Recalls that in the latter case Member States must take the measures necessary to | 
prevent any transfer of data of the same type to the third country in question, and that 
the Commission should enter into negotiations with a view to remedying the situation; 


3745. Calls on the Commission and the Member States to assess without delay whether the 
adequate level of protection of the New Zealand Privacy Act and of the Canadian 
Personal Information Protection and Electronic Documents Act, as declared by 
Commission Decisions 2013/654 and 2/2002 of 20 December 2001, havehas been __| --(Formatiert: Mister Transparent 
affected by the involvement of theirthose countries’ national intelligence agencies in 
the mass surveillance of EU citizens, and, if necessary, to take appropriate measures to 
suspend or reversreverse the adequacy decisions; also calls on the Commission to 
assess the situation for other countries that have received an adequacy rating: expects 
the Commission to report to the Eurepean-Parliament on its findings on the 
abevementienedabove-mentioned countries by December 2014 at the latest; 





Transfers based on contractual clauses and other instruments 


3846. Recalls that national data protection authorities have indicated that neither standard 
contractual clauses nor BCRs were writtenformulated with situations of access to 
personal data for mass surveillance purposes in mind, and that such access would not 
be in line with the derogation clauses of tlie contractual clauses or BCRs which refer 
to exceptional derogations for a legitimate interest in a democratic society and where 
necessary and proportionate; 


3947. Calls on the Member States to prohibit or suspend data flows to third countries based l 
on the standard contractual clauses, contractual clauses or BCRs authorised by the 
national competent authorities where it is estáblishedlikely that the law to which the 


data imperterieTecipients are subject imposes upen-him-requirements on them which 


go beyond the restrictions that are strictly necessary, adequate and proportionate in a 
democratic society and hiekare likely to have a-substantialan adverse effect on the 
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guarantees provided by the applicable data protection law and the standard contractual 
| clauses, or because continuing transfer would create an-imminenta risk of grave harm 
to the data subjects; 


| 48. Calls on the Article 29 Working Party to issue guidelines and recommendations on the 
safeguards and protections that contractual instruments for international transfers of 
EU personal data should contain in order to ensure the protection of the privacy, 
fundamental rights and freedoms of individuals, taking particular account of the 
third-country laws on intelligence and national security and the involvement of the 
companies receiving the data in a third country in mass surveillance activities by a 
third country’s intelligence agencies; 


| 4449. Calls on the Commission to examine without delay the standard contractual clauses it 
has established in order to assess whether they provide the necessary protection as 
regards accessto personal data transferred under the clauses for intelligence purposes 
and, if appropriate, to review them; 


Transfers based on the Mutual Legal Assistance Agreement 


| 4250. Calls on the Commission to conduct, before the end of 2014, an in-depth assessment 
of the existing Mutual Legal Assistance Agreement, pursuant to its Article 17, in order 
to verify its practical implementation and, in particular, whether the US has made 
effective use of it for obtaining information or evidence in the EU and whether the 
Agreement has been circumvented to acquire the information directly in the EU, and 
to assess the impact on the fundamentalrights of individuals; such an assessment 
should not only refer to US official statements as a sufficient basis for the analysis but 
also be based on specific EU evaluations; this in-depth review should also address the 
consequences of the application of the Union’s constitutional architecture to this - 
instrument in order to bring it into line with Union law, taking account in particular of 
Protocol 36 and Article 10 thereof and Declaration 50 concerning this protocol; calls 


on the Council and Commission also to assess bilateral agreem ents between Member 
States and the US so as to ensure that they are consistent with the agreements that the 


EU follows or decides to follow with the US: 





EU mutual assistance in criminal matters 


| 4351. Asksthe Council and-the Commission to inform Parliament about the actual use by. 
Member States of the Convention on Mutual Assistance in Criminal Matters between 

| the Member States, in particular its Title III on interception of telecommunications; 
calls on the Commission to put forward a proposal, in accordance with Declaration 50, 
concerning Protocol 36, as requested, before the end of 2014 in order to adapt it to the 
Lisbon Treaty framework; 


Transfers based on the TFTP and PNR agreements 


| 4452. Takes the view that the information provided by the European Commission and the 
US Treasury does not clarify whether US intelligence agencies have access to SWIFT 
financial messages in the EU by intercepting SWIFT networks or banks’ operating 
systems or communication networks, alone or in cooperation with EU national 
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intelligence agencies and without having recourse to existing bilateral channels for 
mutuallegal assistance and judicial cooperation; 


4553. Reiterates its resolution of 23 October 2013 and asks the Commission for the | 
suspension of the TFTP Agreement; 


4654. Calls on theEurepear Commission to react to concerns that three of the major 
computerised reservation systems used by airlines worldwide are based in the US and 
that PNR data are saved in cloud systems operating on US soil under US law, which 
lacks data protection adequacy; 


Framework agreement on data protection in the field of police and judicial cooperation 
(‘Umbrella agreement Agreement") 


4755. Considers that a satisfactory solution under the ‘Umbrella agreement’ is a 
pre-eenditienprecondition for the full restoration of trust between the transatlantic 
partners; 


4856. Asks for an immediate resumption of the negotiations with the US on the “Umbrella 
Agreement" Umbrella Agreement', which should prexide-fer-elearput rights for EU 


citizens and-on an equal footing with rights for US citizens; stresses that. moreover, 
this agreement should provide effective and enforceable administrative and judicial 


remedies for all EU citizens in the US without any discrimination; 


4957. Asksthe Commission and+he Council not to initiate any new sectorial agreements or 
arrangements for the transfer of personal data for law enforcement purposes with the 
US as long as the -Umbrella-&ereement" Umbrella Agreement' has not entered into 
force; ; 





5058. Urges the Commission to report in detail on the various points of the negotiating | 
mandate and the latest state of play by April 2014; 


Data protection reform 


3159. Calls on the Council Presidency and the mejertty-o£fMember States 





acceleratetheir work on the whole Data Protection Package to allow for its adoption in 


the very near future; stresses that strong engagement and full support on the part of the 
Council are a necessary condition to demonstrate credibility and assertiveness towards 


third countries; 





$260. Stresses that both the Data Protection Regulation and the Data Protection Directive are 
necessary to protect the fundamental rights of individuals, and that the two must 
therefore-must be treated as a package to be adopted simultaneously, in order to ensure 
that all data-processing activities in the EU provide a high level of protection in all 
circumstances; stresses that it will only adopt further law enforcement cooperation 
measures once the Council has entered into negotiations with Parliament and the 


Commission on the Data Protection Package: 
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61. Recalls that the concepts of 'privacy by design' and 'privacy by default' area 
strengthening of data protection and should have the status of guidelines for all 
products, services and systems offered on the internet; 


62. Considers higher transparency and safety standards for online and telecommunication 
' gsanecessary principle with a view to a better data protection regime; calls, therefore, 
on the Commission to put forward a legislative proposal on standardised general terms 


and conditions for online and telecommunications services. and to mandate a 


supervisory body to monitor compliance with the general terms and conditions; 
Cloud computing 





3363. Notes that trust in US cloud computing and cloud providers has been negatively 
affected by the abevementienedabove-mentioned practices; emphasises, therefore, the 
l development of European clouds and IT solutions as an essential element for growth 
o and employment and for trust in cloud computing services and providers-and, as well 
as for ensuring a high level of personal data protection; 


5464. Calls on all public bodies in the Union not to use cloud services where non-EU laws 
might apply; i 


65. Reiterates its serious eencermsabeutconcern regarding the compulsory direct - 
disclosure of EU personal data and information processed under cloud agreements to 
third-country authorities by cloud providers subject to third-country laws or using 

| storage servers located in third countries, andabeutas also regarding direct remote 
access to personal data and information processed by third-country law enforcement 
_ authorities and intelligence services; 


| $5.——Regrets66. — Deplores the fact that such access is usually attained by means of direct 
enforcement by third-country authorities of their own legal rules, without recourse to 
international instruments established for legal cooperation such as mutual legal 
assistance (MLA) agreements or other forms of judicial cooperation; 


5667. Calls on the Commission and the Member States to speed up the work of establishing 


a European Cloud Partnership while fully including civil society and the technical 
community, such as the Internet Engineering Task Force (IETF), and incorporating 
data protection aspects; 


$368. Urges the Commission. when negotiating international agreements that involve the 
processing of personal data, to take particular note of the risks and challenges that 
cloud computing poses to fundamental rights, in particular — but not exclusively — the 
right to private life and to the protection of personal data, as enshrined in Articles 7 
and 8 ofthe Charter of Fundamental Rights of the European Union; urges the 
Commission, furthermore, to take note of the negotiating partner's domestic rules 
governing the access of law enforcement and intelligence àgencies to personal data 
processed through cloud computing services, in particular by demanding that such 
access be granted only if there is full respect for due process of law and on an 
unambiguous legal basis, as well as the requirement that the exact conditions of 
access, the purpose of gaining such access, the security measures put in place when 
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handing over data and therights ofthe individual, as well as therules for supervision 
and for an effectiveredress mechanism. be specified; 


69. Recalls that all companies providing services in the EU must, without exception, 
comply with EU law and are liable for any breaches, and underlines the importance of 


having effective, proportionate and dissuasive administrative sanctions in place that 


can be imposed on 'cloud computing' service providers who do not comply with EU 
data protection standards; . l 


70. Calls on the Commission and the competent authorities of the Member States to 
evaluate the extent to which EU rules on privacy and data protection have been 
violated through the cooperation of EU legal entities with secret services or through 
the acceptance of court warrants ofthird-country authorities requesting personal data 
of EU citizens contrary to EU data protection legislation; 


71. Calls on businesses providing new services using ‘Big Data’ and new applications 
such as the “Internet of Things’ to build in data protection measures already at the 
development stage, in order to maintain a high level oftrust among citizens; 


Transatlantic Trade and Investment Partnership Agreement (TTIP) 


3872. Recognises that the EU and the US are pursuing negotiations for a Transatlantic Trade | 
and Investment Partnership, which i is of major strategic importance for creating further 
economic growth 


. 
? 


5973. Strongly emphasises, given the importance of the digital economy in the relationship 
l and in the cause of rebuilding EU-US trust, that the consent of the European 
Parliament »-Hito the final TTIP agreement could be endangered as long as the blanket 


mass surveillance activities and the interception of communications in EU institutions 
and diplomatic representations are not completely abandoned and an adequate solution 
is found for the data privacy riehts of EU citizens, including administrative and 


. judicial redress; stresses that Parliament may only consent to the final TTIP agreement 
provided the agreement fully respects, inter alia, the fundamental rights recognised by 


the EU Charter, and thatprovided the protection of the privacy of individuals in 
relation to the processing and dissemination of personal data musteentinuete-be 
remain governed by Article XIV of the GATS; stresses that EU data protection 


legislation cannot be deemed an ‘arbitrary or unjustifiable discrimination' in the 
application of Article XIV of the GATS; 


Democratic oversight of intelligence services 





6074. Stresses that, despite the fact that oversight of intelligence services’ activities should | 
be based on both democratic legitimacy (strong legal framework, ex ante authorisation 
and ex post verification) and en-adequate technical capability and expertise, the | 
majority of current EU and US oversight bodies dramatically lack both, in particular 
the technical capabilities; 


61. Imwies75. ^ Calls, as it has-donedid in the case of Echelon, on all national | 
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parliaments which have not yet done so to install meaningful oversight of intelligence 
activities by parliamentarians or expert bodies with legal powers to investigate; calls 

. onthe national parliaments to ensure that such oversight committees/bodies have 
sufficient resources, technical expertise and legal means, including the right to conduct 
on-site visits, to be able to effectively control intelligence services; 


6276. Calls for the setting up ofa high level_group-te strengthen cooperationHigh-Level 
Group. to propose, in dhe Held ee oc baad se 
= eRSHHRebath-de aclegitita ransparent manner u 


en ‘alli bora ona with jie ae 
recommendations and further steps to be taken for enhanced democratic oversight, 


including parliamentary oversight, of intelligence services and increased oversight 
collaboration in the EU, in particular as regards its cross-border dimension; 









406 


e 63.— -Calis-on77. — Considers this bigh-JevelHigh-I evel | groupte-should: — — č a nt sl, Schriftartfarbe: 


^ a Formatiert: s1, Schriftartfarbe: 
define minimum European : standards Or r guidelines o on the (ex ante and : ex (post) " une. ert:s 


| Formatiert: 51, Schriftartfarbe: 


oversight of intelligence services on the basis of existing best practices and 
recommendations by international bodies (UN, Council of Europe}), including the 


issue of oversight bodies being considered as a third party under the ‘third party rule’, 
or the principle of *originator control’. on the oversight and accountability of 


EN u. 


B 


intelligence from foreign countries, — < DOTEM Oi nee ge 





. 64. —Calls-on-thehigh-level-group-te set strict limits on the duration and scope eof | | p 





any surveillance ordered unless its continuation is duly justified. by the “A 


authorising/oversight authority; recalls that the duration of any surveillance ordered 
should be proportionate and limited to its purpose; ____ EE 


. 65— —Calls-en-the high-level-group-te-develop criteria on enhanc Sea? Tunc 


built on the ‚general principle of access to information and the so-called ‘Tshwane 
Principles’; 








6678. Intends to organise a conference with national oversight bodies, whether parliamentary 
or independent, by the end of 2014; 


p" | 6779. Calls on the Member States to draw on best practices so as to improve access by their 

o oversight bodies to information on intelligence activities (including classified 
information and information from other services) and establish the power to conduct 
on-site visits, a robust set of powers of interrogation, adequate resources and technical 
expertise, strict independence vis-à-vis their respective governments, and a reporting 
obligation to their respective parliaments; 


| 6880. Calls on the Member States to develop cooperation among oversight bodies, in 
particular within the European Network of National Intelligence Reviewers (ENNIR); 


| 6981. Urges the Commission and the HR/VP to present, by SeptemberDecember 2014, a 





|. i The Global bal Principles on National | Security and the Right to Information, June 2013. 
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proposal for a legal basis for the activities of the EU Intelligence Analysis Centre 
(IntCen), as-w-el-as-a-prepertogether with an adequate oversight mechanism-adapted; 
urges the HR/VP to #sregularly account for the activities of IntCen to the responsible 
bodies of Parliament, including resular+eporting+ethe-Eurepeanits full compliance 


with fundamental rights and applicable EU data privacy rules, and to specifically 
clarify its existing oversight mechanism with Parliament; 





82. Calls on the Commission to present, by SeptemberDecember 2014, a proposal for an 


EU security clearance procedure for all EU office holders, as the current system, 
which relies on the security clearance undertaken by the Member State of citizenship, 
provides for different requirements and lengths of procedures within national systems, 
thus leading to differing treatment of Members of Parliament and their staff depending 
on their nationality; 


Recalls the provisions of the interinstitutional agreement between the European 
Parliament and the Council concerning the forwarding to and handling by the 
Eurepean-Parliament of classified information held by the Council on matters other 
than those in the area of the common foreign and security policy-that, which should be 
used to improve oversight at EU level; 





EU agencies 


2284. 


Calls on the Europol Joint Supervisory Body, together with national data protection 
authorities, to conduct a joint inspection before the end of 2014 in order to ascertain 
whether information and personal data shared with Europol kashave been lawfully _ 
acquired by national authorities, particularly if the information or data waswere 
initially acquired by intelligence services in the EU or a third country, and whether 
appropriate measures are in place to prevent the use and further dissemination of such 


information or data; considers that Europol should not process any information or data 
which were obtained in violation of fundamental rights which would be protected 
under the Charter of Fundamental Rights; 


85. Calls on Europol to askm ake full use of its mandate to request the competent 


authorities of the Member States-intinewithits- competences, to initiate criminal 
investigations with regardregards to pessiblecybererimesma] or cyberattacks and eyber 
IT breaches with potential 
cross-border impact: believes that Europol's mandate should be enhanced in order to 
allow itto initiate its own investigation following suspicion of a malicious attack on 
the Ser e OIELWOFK and information systems of two or more Member States or 
Union bodies! : calls on the Commission to review the activities underserutinyof 
Europol's European Cybercrime Centre (EC3) and, if necessary. put forward a 
proposal for a comprehensive framework for strengthening its competences; 





i European Parliament legislative resolution of ._ February 2014 on the proposal for a regulation of the 


opean Parliament a f the Council on the Eur nion Agency for Law Enforcement Cooperati 


Trainin 


E 01) (A7-0096/2014), 
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Freedom of expression 


| 7486, Expresses its deep concern abeutat the develepingmounting threats to the freedom of 





the press and the chilling effect on journalists of intimidation by state authorities, in 
particular as regards the protection of confidentiality of journalistic sources; reiterates . 
the calls expressed in its resolution of 21 May 2013 on ‘the EU Charter: standard 
settings for media freedom across the EU’; 


35 — —Considers-that- Takes note of the detention of M+David Miranda and thes seizure 
of the material in his possession by the UK authorities under Schedule 7 of the 
Terrorism Act 2000 (and also the request made to Zhethe the Guardiannewspaperto — 
destroy or hand over the material) and expresses its concern that this constitutes ana 
possible serious interference with theright of freedom of expression and media 
freedom as recognised by Article 10 of the ECHR and Article 11 ofthe EU Charter 


and that legislation intended to fight terrorism could be misused in such instances; 





76. ——.Calis-en-the-88. Draws attention to the plight of whistleblowers and their 


89. 


supporters, including journalists following their revelations; calls on the Commission 
to put-ferward-a conduct an examination as to whether a future legislative proposal fer 


&-establishing an effective and comprehensive framewerk-for-theEuropean 
whistleblower protection ef whistleblewersintheEUprogramme, as already requested 


in Parliament's resolution of 23 October 2013, should also include other fields of 


Union competence, with particular attention to the speeifieitiescomplexity of 
whistleblowing in the field of intelligence,fer; calls on the Member States to 


thoroughly examine the possibility of granting whistleblowers international protection 


from prosecution: 





Calls on the Member States to ensure that their legislation. notably in the field of 





national security. provides a safe alternative to silence for disclosing or reporting of 
wrongdoing, including corruption, criminal offences. breaches of legal oblig ation, 
miscarriages ofj justice and abuse of authority, which is also i in line with the provisions 


strong-guarantess-of immunityof different S ( UN and Council af Europe) 


instruments against corruption, the principles laid out in the PACE Resolution 1729 
(2010), the Tshwane principles, etc; ER RER AE E SENDER 








EU IT security 


| 2390. Points out that recent incidents clearly demonstrate the acute vulnerability of the EU, 


and in particular the EU institutions, national governments and parliaments, major 
European companies, European IT infrastructures and networks, to sophisticated 
attacks using complex software and malware; notes that these attacks require such 


, financial and human resources on a scale such that they are likely to originate from 


state entities acting on behalf of foreign governments 


gevernmentsthat suppert them: in this context, regards the case of the hacking or 


tapping of the telecommunications company Belgacom as a worrying example of an 
attack againstthe EUs TT-eapaeityon the EU's IT capacity; underlines that boosting 


EU IT capacity and security also reduces the vulnerability of the EU towards serious 
Cyberattacks originating from large criminal organisations or terrorist groups; 
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7891. Takes the view that the mass surveillance revelations that have initiated this crisis can 
be used as an opportunity for Europe to take the initiative and build up-az-autenomeus 


key resource capability forthemidterm, as a strategic priority measure, a strong 
and autonomous IT key-resource capability; stresses that in order to regain trust, such 
a European IT capability should be based, as much as possible, on open standards and 
open-source software and if possible hardware, making the whole supply chain from 
processor design to application layer transparent and reviewable; points out that in 
order to regain competitiveness in the strategic sector of IT services, a ‘digital new 
deal’ is needed, with joint and large-scale efforts by EU institutions, Member States, 
research institutions, industry and civil society; calls on the Commission and the: 


Member States to use public procurement as leverage to support such resource 
capability in the EU by making EU security and privacy standards a key requirement 
in the public procurement of IT goods and services; urges the Commission, therefore, 


to review the current public procurement practices with regard to data processing in 
e order to consider restricting tender procedures to certified companies, and possibly to 
: EU companies, where security or other vital interests are mvolved: 


39.— —Hs-highly-eencerned-by-indieatiens-that-foreignO2. Strongly condemns the fact that 
intelhgence services sought to lower IT security standards and to install backdoors in a 


breadwide range of IT systems; asksthe Commission to present draft legislation to 


ban the use of backdoors by law enforcement agencies: recommends, consequently, 
the use of open-source software in all environments where IT security is a concern; 


$093. Calls on all the MembersMember ber States, the Commission, the Council and the 
European Council to address-the-EU's-dangerousdacl-of-autenomy-in-terms-ofgive 


their fullest support, including through funding in the field of research and . 
development, to the development of European innovative and technological capability 


in IT tools, companies and providers (hardware, software, services and network), 
including for purposes of cybersecurity and encryption and cryptographic capabilities; 


$194. Calls on the Commission, standardisation bodies and ENISA to develop, by 
SeptemberDecember 2014, minimum security and privacy standards and guidelines 
for IT systems, networks and services, including cloud computing services, in order to 
better protect EU eitizens"citizens' personal data and the integrity of all IT systems; 
believes that such standards could become the benchmark for new global standards 
e and should be set in an open and democratic process, netrather than being driven by a 
; single country, entity or multinational company; takes the view that, while legitimate 
law enforcement and intelligence concerns need to be taken into account in order to 
support the fight against terrorism, they should not lead to a general undermining of 


the dependability ofall IT systems; expresses support for the recent decisions by the 
Internet Engineering Task Force (IETF) to include governments in the threat model 


- for internet security; 


. $295. Points out that beth-telecem-eempanies-and-the-EU and national telecom regulators, 
and in certain cases also telecom companies. have clearly neglected the IT security of 
their users and clients; calls on the Commission to make full use of its existing powers 


under the ePrivacy and T elecommunication Framework Directive to strengthen the 
protection of confidentiality of communication by adopting measures to ensure that 
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terminal equipment is compatible with theright of users to control and protect their 
personal data, and to ensure a high level of security oftelecommunication networks 

| and services, including by way of requiring state-of-the-art end-to-end encryption of 
communications; 


$396. Supports the EU cyber strategy, but considers that it does not cover all possible threats 
and should be extended to cover malicious state behavieursbehaviour: underlines the 


need for more robust IT security and resilience of IT systems; 


$497. Calls on the Commission, by January 2015 at the latest, to present an Action Plan to 
develop meregreater EU independence in the IT sector, including a more coherent 
approach to boosting European IT technological capabilities (including IT systems, 
equipment, services, cloud computing, encryption and anonymisation) and to the 
protection of critical IT infrastructure (including in terms of ownership and 
vulnerability); 





$398. Calls on the Commission, in the framework of the next Work Programme of the 
Horizon 2020 Programme, to assess-whetherdirect more resources sheuld-be-direeted 
towards boosting European research, development, innovation and training in the field 
of IT4eehnelegies, in particular privacy-enhancing technologies and infrastructures, 
cryptology, secure computing, the best possible security solutions including open- 
source security-selutiens, and theInfermatien-Seeietyother information society 
services, and also to promote the internal market in European software, hardware, and 
encrypted means of communication and communication infrastructures, including by 
developing a comprehensive EU industrial strategy for the IT industry; considers that 
small and medium enterprises play a particular role in research; stresses that no EU 
funding should be granted to projects having the sole purpose of developing tools for 
gaining illegal access into IT systems; 


$699. Asksthe Commission to map out current responsibilities and to review, by 
JuneDecember 2014 at the latest, the need for a broader mandate, better coordination 
and/or additional resources and technical capabilities for ENISA. Europol's 
€yberCrimeCyber Crime Centre; ENISA- and other Union centres of specialised 
expertise, CERT--EU and the EDPS, in order to enable them to play a key role in 


securing Furopean communication systems, be more effective in preventing and 
e investigating major IT breaches in the EU and-i» performing (or assisting Member 


States and EU bodies to perform) on-site technical investigations regarding major IT 


breaches; in particular, calls on the Commission to consider strengthening ENISA's 
role in defending the internal systems within the EU institutions and to establish 
within ENISA's structure a Computer Em ergency Response Team (CERT) for the EU 


and its Member States: 





100. Requests &—Deems-it-necessary-for-the EUCommission to be-supperted-by-assess 
the need for an EU IT Academy that brings together the best independent European 


and international experts in all related fields, tasked with providing all relevant EU 
Institutiensinstitutions and bodies with scientific advice on IT technologies, including 


security-related strategies ;-as-e-first-step-asks-the-Commission-to-cet-up-an-independent 
Sejentificcexpert-panel- 
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101. Calls on the Eurepean-Parliament's-competent services of the Secretariat of the 
European Parliament, under the responsibility of the President of Parliament, to to carry 


out, by SeptemberDecember 2014 at the latest, a thorough review and assessment of 
the-Eurepean-Parliament's IT security dependability, focused on: budgetary means, 
staff resources, technical capabilities, internal organisation and all relevant elements, 
in order to achieve a high level of security for the-EP?sParliament's IT systems; 
believes that such an assessment should at the least provide information, analysis and 
recommendations on: 


. the need for regular, rigorous; and independent security audits and penetration | 
tests, with the selection of outside security experts ensuring transparency and 
guarantees of their credentials vis-à-vis third countries or any types of vested 
interest; 


. the inclusion in tender procedures for new IT systems of best-practice specific | 
IT security/privacy requirements, including the possibility of a requirement for 
pen-source software as a condition of purchase or a ora 


requirement that trusted European companies should take part in the tender 
when sensitive, security-related areas are concerned; 


. the list of US-companies under contract with the-Eurepean Parliament in the IT 


and telecom fields, taking into account any information that has cometo light 
about their cooperation with intelligence agencies (such as revelations about 


NSA contracts with a company such as RSA, whose products the European 
Parliament is using to supposedly protect remote access to their data by its 


Members and staff). including the feasibility of providing the same services by 
other, preferably European, companies; 


. the reliability and resilience of third-partythe software, and especially off-the- 


shelf commercial software, used by the EU institutions in their IT systems with 
regard to penetrations and intrusions by EU or third-country law enforcement 
and intelligence authorities, taking also into account relevant international 


standards, best-practice security risk management principles, and adherence to 
EU Network Information Security standards on security breaches; 


e the use of more open-source systems; 


° steps and few-er-off the-shelf commercial systems: 


s—  —the-enpaet-efmeasures to take in order to address the increased use of mobile 
tools (e.g. smartphones, tablets, whether professional or personal) and its 
effects on the IT security of the system; 





. the security ofthe communications between the different workplaces of the 
Eurepean-Parliament and of the IT systems used atthe Eurepeanin Parliament; 
. the use and location of servers and IT centres for the-EP2sParliament s IT 


systems and the implications for the security and integrity of the systems; 
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. the implementation in reality of the existing rules on security breaches and 
prompt notification of the competent authorities by the providers of publicly 
available telecommunication networks; l 


. the use of cloud computing and storage services by the-EPParliament 
including whatkindthe nature of the data is-stored enin the cloud, how the 
content and access to it is protected and where the cloud-is- servers are located, 
clarifying the applicable data protection and intelligence legal 


regimeframework, as well as assessing the possibilities of solely using cloud 
servers that are based on EU territory; 





. a plan allowing for the use of more cryptographic technologies, in particular 
end-to-end authenticated encryption for all IT and communications services 
such as cloud computing, email, instant messaging and telephony; 


e . the use of electronic sienaturesignatures in email; 


. an-analysis-ofthe-benefits-ofa plan for using the-GNU-Privaey-Guard-as-a 
default encryption standard, such as the GNU Privacy Guard, for emails 
whiehthat would at the same time allow for the use of digital signatures; 


. the possibility of setting up a secure Instant Messaginginstant messaging 
service within-the-Eurepean Parliament allowing secure communication, with 
the server only seeing encrypted content; 


exercise in cooperation with ENISA, Europol and the CERTs, by December 2014 at 
the latest, in particular the European Council, the Council, the European External 


Action Service (including EU delegations), the Commission, the Court of Justice and 
the European Central Bank; invites the Member States to conduct similar assessments; 


| 89102. Calls erfor all the EU Institatiensinstitutions and agencies to perform a similar 


| 99103. Stresses that as far as the external action of the EU is concerned, assessments of 
related budgetary needs should be carried out and first measures taken without delay 
in the case of the European External Action Service (EEAS) and that appropriate 
funds need to be allocated in the 2015 DraftBudgetdraft budget; 





| 91104. Takes the view that the large-scale IT systems used in the area of freedom, security 
and justice, such as the Schengen Information System II, the Visa Information System, 
Eurodac and possible future systems such as EU-EST A, should be developed and 
operated in such a way as to ensure that data isare not compromised as aresult of US 
requests under-the-Patriet-Aetby authorities from third countries; asks eu-LISA to 
report back to Parliament on the reliability of the systems in place by the end of 2014; 


92105. Calls on the Commission and the EEAS to take action at the international level, with 
| the UN in particular, and in cooperation with interested partners (sueh-as-Brazil)-and 
to implement an EU strategy for democratic governance of the internet in order to 
prevent undue influence over ICANN's and IANA's activities by any individual 
entity, company or country by ensuring appropriate representation of all interested 


| parties in these bodies, while avoiding the facilitation of state control or censorship or 
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the balkanisation and fragmentation of the internet; 


93106. Calls for the everaHEU to take the lead in reshaping the architecture and [governance | ..-| Formatiert: Schriftart: Fett, Kursiv 
of the internet in terms-e£order to address the risks related to data flows and storagete 


be-reeensidered, striving for more data minimisation and transparency and less 
centralised mass storage of raw data, as well as aveidinsfor rerouting of Internet 


traffic or full end-to-end encryption of all Internet traffic so as to avoid the current ` 


risks associated with unnecessary routing of traffic through the territory of countries 
that do not meet basic standards on fundamental rights, data protection and privacy ; 








94107. Calls for the promotion of | 


- EU search engines and EU social networks as a valuable step in the direction of IT 
independence for the EU; 


e - European IT service providers: 


- encrypting communication in general, including email and SMS communication; 


- European IT key elements, for instance solutions for client-server operating systems, 
using open-source standards, developing European elements for grid coupling, e.g. 


routers; 





108. Calls on the Member States, in cooperation with ENISA, EurepeFsEuropol's 
CyberCrime Centre, CERTs and national data protection authorities and cybercrime 
units, to startdevelop a culture of security and to launch an education and awareness- 
raising campaign in order to enable citizens to make a more informed choice regarding 
what personal data to put on-line and how better to protect them, including through 
“digital hysiene-, encryption and safe cloud computing, making full use of the public 
interest information platform provided for in the Universal Service Directive; 


95109. Calls on the Commission, by SeptemberDecember 2014, to evaluatethe-possibilities 
efencouragingput forward legislative proposals to encourage software and hardware 


manufacturers to introduce more security and privacy threughby design and by default 
features in their products, including the pessibility-ef- by introducing disincentives for 
e the undue and disproportionate collection of mass personal data and legal liability on 





the part of manufacturers for unpatched known vulnerabilities, faulty or insecure 
pr oducts sor the oe alatıom = secret nn 






ee enabling dnauthonsed UE to and processing of datei in 
this respect. calls on the Commission to evaluate the possibility of setting up a 
certification or validation scheme for IT hardware including testing procedures at EU 
level to ensure the integrity and security of the products; b. on 


Rebuilding trust 


96110. Believes that. beyond the need for legislative change, the inquiry has shown the need 
for the US to restore trust with its EU partners, as it is the US intelligence agencies' 
activities that are primarily at stake; 
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97111. Points out that the crisis of confidence generated extends to: 


- the spirit of cooperation within the EU, as some national intelligence activities 
may jeopardise the attainment of the Union’s objectives; 


— citizens, who realise that not only third countries or multinational companies; 
but also their own government; may be spying on them; 


— respect for the-fundamental rights, democracy and the rule of law-and, as well 
as the credibility of democratic, judicial and parliamentary safeguards and 
oversight m a digital society; 








Between the EU and the US 


| 98112. Recalls the important historical and strategic partnership betw een the EU Member 
e States and the US, based on a common belief in democracy, therule of law and 
fundamental rights; 


| 99113. Believes that the mass surveillance of citizens and the spying on political leaders by 
the US have caused serious damage to relations between the EU and the US and 
negatively impacted on trust in US organisations acting in the EU; this is further 
exacerbated by the lack of judicial and administrative remedies for redress under US 
law for EU citizens, particularly in cases of surveillance activities for intelligence 


purposes; 
| 109114. Recognises, in light of the global challenges facing the EU and the US, that the 

transatlantic partnership needs to be further strengthened, and that it is vital that 

transatlantic cooperation in counter-terrorism continueszinsists-hew-exer on a new 


basis of trust based on true common respect fortherule of law and the rejection of all 


indiscriminate practices of mass surveillance; insists, therefore, that clear measures 
need to be taken by the US to re-establish trust and re-emphasise the shared basic 


values underlying the partnership; 


| 404115. Is ready-aetively to engage in a dialogue with US counterparts so that, in the 
ongoing American public and congressional debate on reforming surveillance and 
reviewing intelligence oversight, the right to privacy and other rights of EU citizens 
are-addressed_equal, residents or other persons protected by EU law and equivalent 
information rights and privacy protection in US courts-, including legal redress, are 
guaranteed and-through, for example, a revision of the Privacy Act and the Electronic 
Communications Privacy Act and by ratifying the First Optional Protocol to the 
International Covenant on Civil and Political Rights (ICCPR), so that the current 


discrimination is not perpetuated; 


to Europeans to ensure that the use of surveillance and data processing for foreign 
intelligence purposes is proportional, limited by clearly specified conditions, and 
related to reasonable suspicion erand probable cause of terrorist-ereriminal activity; 
stresses that this purpose must be subject to transparent judicial oversight; 


492116. Insists that necessary reforms be undertaken and effective guarantees be given 
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Considers that clear political signals are needed from our American partners to 
demonstrate that the US distinguishes between allies and adversaries; 


B 
— 
-J 


194118. Urges the-EU Commission and the US Administration to address, in the 
context of the ongoing negotiations on an EU-US umbrella-agreemertUmbrella 
Agreement on data transfer for law enforcement purposes, the information and judicial 
redress rights of EU citizens, and to conclude these negotiations, in line with the 
commitment made at the EU-US Justice and Home Affairs Ministerial Meeting of 18 


November 2013, before summer 2014; 





195119. Encourages the US to accedeto the Council of Europe's Convention for the | 
Protection of Individuals with regard to Automatic Processing of Personal Data 
(Convention 108), as it acceded to the 2001 Convention on Cybercrime, thus 


strengthening the shared legal basis amengbetw een the transatlantic allies; 





106120. Calls on the EU institutions to explore the possibilities for establishing with the 
US a code of conduct which would guarantee that no US espionage is pursued against 
EU institutions and facilities; 


Within the European Union 


192121. Also believes that thatthe involvement and activities of EU MembersMember 
States hashave led to a loss of trust, including among Member States and between EU 
citizens and their national authorities; is of the opinion that only full clarity as to 
purposes and means of surveillance, public debate and, ultimately, revision of 

legislation, including an end to mass surveillance activities and strengthening ef the : 














system of judicial and parliamentary oversight, will it be ablepossible to re— establish 


the trust lost; reiterates the difficulties involved in developing comprehensive EU 
security policies with such mass surveillance activities in operation, and stresses that 
the EU principle of sincere cooperation requires that Member States refrain from 
conducting intelligence activities in other Member States' territory; 


108 ——12warel22. Notes that some-EU Member States are pursuing bilateral 
communication with the US authorities on spying allegations, and that some of them 
have concluded (Usited-Kingdemthe UK) or envisage concluding (Germany, France) 
so-called ‘anti-spying’ arrangements; underlinesstresses that these Member States 
need to observe fully the interests and the legislative framework of the EU as a whole; 


deems such bilateral arrangements to be counterproductive and irrelevant, given the 
need for a European approach to this problem; asks the Council to inform Parliament 
on developments by Member States on an EU-wide mutual no-spy arrangement; 


109123, Considers that such arrangements should not breach Eurepeanthe Union 
Treaties, especially the principle of sincere cooperation (under Article 4-paragrapk{3) 
TEU), or undermine EU policies in general and, more specifically, the internal market, 
fair competition, and economic, industrial and social development; decides to review. 
any such arrangements for their compatibility with European law, and reserves itsthe 
right to activate Treaty procedures in the event of such arrangements being 
prevedproven to contradict the Unien~sUnion's cohesion or the fundamental principles | 


on which it is based; 








PRH014703EN- RR\ 1020713 EN.doc 43/66 PE526.085+82v03-00 | 


EN 





EN 


MAT A BMI-1-11e_12.pdf, Blatt 420 


124. Calls on theMember States to make every effort to ensure better cooperation with a 
view to providing safeguards against espionage, in cooperation with the relevant EU 
bodies and agencies, for the protection of EU citizens and institutions, European 
companies, EU industry, and IT infrastructure and networks. as well as European 
research: considers the active involvement of EU stakeholders to be a precondition for 
an effective exchange of information: points out that security threats have become 
more international, diffuse and complex, thereby requiring an enhanced European 
cooperation: believes that this development should be better reflected in the Treaties, 
and therefore calls for a revision of the Treaties in order to reinforce the notion of 
sincere cooperation between the Member States and the Union as regards the objective 
of achieving an area of sécurity and to prevent mutual espionage between Member 


States within the Union: 


125. Considers tap-proof communication Structures (email and telecommunications, 
including landlines and cell phones) and tap-proof meeting rooms within all relevant 


EU institutions and EU delegations to be absolutely necessarv: therefore calls for the 


establishment of an encrypted internal EU email system; 


126. Calls on the Council and Commission to consent without further delay to the proposal 
adopted by the European Parliament on 23 May 2012 for a regulation of the European 
Parliament on the detailed provisions governing the exercise of the European 
Parliament's right of inquiry and repealing Decision 95/167/EC, Euratom, ECSC of 
the European Parliament, the Council and the Commission presented on the basis of 
Article 226 TFEU: calls for a revision of the Treaty in order to extend such inquiry 


powers to cover, without restrictions or exceptions, all fields of Union competence or 
activity and to include the possibility of questioning under oath; 


Internationally 








| 140127. Calls on the Commission to present, iby January 2015 at the latest, an EU 
strategy for democratic governance of the internet; 


| 144128. Calls on the Member States to follow the call of the 35th International 
Conference of Data Protection and Privacy Commissioners ‘to advocate the adoption 
of an additional protocol to Articlel7 of the International Covenant on Civil and 
Political Rights (ICCPR), which should be based on the standards that have been 
developed and endorsed by the International Conference and the provisions in the 
Human Rights Committee General Comment No 16 to the Covenant in order to create 
globally applicable standards for data protection and the protection of privacy in 


accordance with the rule of law’; calls on the Member States to include in this exercise 








a call for an international UN agency to be in charge of, in particular, monitoring the 
emergence of surveillance tools and regulating and investigating their uses; asks the 


High Representative/Vice-President of the Commission and the European External 
Action Service to take a proactive stance; . 


the United-NatiensUN, supporting in particular the resolution on ‘Fhethe right to 
privacy in the digital age’ initiated by Brazil and Germany, as adopted by the 
| third Third Committee of the UN General Assembly Committee (Human Rights 


| 42129. Calls on the Member States to develop a coherent and strong strategy within 
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Committee) on 27 November 2013, as well as taking further action for the defence of 
the fundamental right to privacy and data protection at an mternational level while 
avoiding any facilitation of state control or censorship or the fragmentation of the 


internet, including an initiative for an international treaty prohibiting mass surveillance 
activities and an agency for its oversight; 


Priority Plan: A European Digital Habeas Corpus - protecting fundam ental rights in a 





digital age 7| Formatiert: Schriftart: Times New 
nu D E "cS SERE TEE PW NEN ame ydus 
43130. Decides to submit to EU citizens, Institutiensinstitutions and Member States 
the abevementionedabove-mentioned recommendations as a Priority Plan for the next 
legislature; 
44131. Decides to launch ‘A European Digital Habeas Corpus fer, protecting privacy — | — i| Formatiert: Schriftart: Times New 
 Baseconnindant entalr ights i in a digital age’ with the following 78 xoc ne EM Roman = 





g. the implementation of which it will oversee; — _____ Formatiert: Schriftart Times New 


Roman 


Action 1: Adopt the Data Protection Package in 2014; ™(Formatiert: Schriftart: Fett 


Action 2: Conclude the EU-US Umbrella Agreement guaranteeing the fundamental 
right of citizens to privacy and data protection and ensuring proper redress 


mechanisms for EU citizens. including in the event of data transfers from the EU to 
the US for law- enforcement purposes; 


at 


7] Formatiert: Block, Einzug: Links: 
1,25 cm, Erste Zeile: 0,5 cm 





Action 3: Suspend Safe Harbour until a full review has been conducted and current 
loopholes are remedied, making sure that transfers of personal data for commercial 
e purposes from the Union to the US can only take place in compliance with the 
s highest EU standards; 


Action 4: Suspend the TFTP agreement until: ( i) the Umbrella Agreement 
negotiations have been concluded: (ii) a thorough investigation has been concluded 

. on the basis of an EU analysis and all concerns raised by Parliament in its 
resolution of 23 October 2013 have been properly addressed; 


Action 5: Evaluate any agreement, mechanism or exchange with third countries 
involving personal data in order to ensure that the right to privacy and to the 
protection of personal data is not violated due to surveillance activities, and take 
necessary follow-up actions: 
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Action 6: Protect the rule of law and the fundamental rights of EU citizens, witha 
particular-focusen(including from threats to the freedom ofthepress)therightof — —(Formatiert: Schritart Fett Kus ` 
the public to receive impartial information and professional confidentiality 


(including lawyer-client relations}), as well as ensuring enhanced protection for ' 
whistleblowers; 


Action 67: Develop a European strategy for greater IT independence (a ‘ digital new 
deal’ including the allocation of adequate resources at national and EU levels) in 
order to boost IT industry and allow European companies to exploit the EU privacy 


competitive advantage; 


Action 78: Develop the EU as a reference player for a democratic and neutral 
governance of the internet; 


445132. Calls on the EU Institutiensinstitutions and the Member States to Sapportand 


e promote the "European Digital Habeas CerpusCorpus' protecting fundamental rights E 
in a digital age; undertakes to act as the EU citizens’ rights watehdegadvocate, with —  —(Formatiert: Schriftart Fett, Kursi 


the following timetable to monitor implementation: 






Formatiert: Normall2Hanging, 
Einzug: Hàngend: 0,75 cm, Abstand 
Nach: 0 Pt. 







e  April-July 2014: a monitoring group based on the LIBE inquiry team ses 
responsible for monitoring any new revelations in-the-media-concerning the 
inquiry" sinquiry's mandate and scrutinising the implementation of this 


resolution; l 

e July 2014 onwards: a standing oversight mechanism for data transfers and — «———- | Formatiert: Einzug: Hängend: 0,89 
judicial remedies within the competent committee; em 

e Spring 2014: a formal call on the European Council to include the “European e= | Formatiert: Einzug: Hängend: 0,75 
Digital Habeas Corpus - protecting fundamental rights in a digital age’- in the en 


guidelines to be adopted under Article 68 TFEU; 


e Autumn 2014: a commitment that the ‘European Digital Habeas Corpus - 


‘protecting fundamental rights in a digital age’ and related recommendations 


will serve as key criteria for the approval of the next Commission; 











Formatiert: Normall2Hanging, 
Einzug: Links: 1,75 cm, Hangend: 
0,75 cm, Abstand Nach: 0 Pt., 
Aufgezählt + Ebene: 1 + Ausgerichtet 
an: 0,63 cm + Einzug bei: 1,27 cm, 
ac MICE D M LLL Tabstopps: Nicht an 0,63 am 


1i6e 2014-2015: a Trust/Data/Citizens’ Rights group to be convened on a l oo Schriftart: Times New 
regular basis between the European Parliament and the US Congress, as well as 
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with other committed third-country parliaments, including that of Brazil; 
e — 2014-2015: a conference with the intelligence oversight bodies of European 


national parliaments; 


Instructs its President to forward this resolution to the European Council, the Council, 
the Commission, the parliaments and governments of the Member States, the national 
data protectión authorities, the EDPS, eu-LISA, ENISA, the Fundamental Rights 
Agency, the Article 29 Working Party, the Council of Europe, the Congress ofthe 
United States of America, the US Administration, the President, the-Government and 
the-Parliament of the Federative Republic of Brazil, and the United-NatiensUN 


Secretary-General. 


— 
U 
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EXPLANATORY STATEMENT 


"The office ofthe sovereign, be it a monarch or an assembly, consisteth in the end, 
for which he was trusted with the sovereign power, 

namely the procuration of the safety of people’ 

Hobbes, Leviathan (chapter XXX) 


“We cannot commend our society to others by departing 
from the fundamental standards which 

make it worthy of commendation’ 

Lord Bingham of Cornhill, 

Former Lord Chief Justice of England and Wales 


Methodology 


From July 2013, the LIBE Committee of Inquiry was responsible for the extremely 
challenging task of fulfilling the mandate! of the Plenary on the investigation into the 
electronic mass surveillance of EU citizens in a very short timeframe, less than 6 months. 


During that period it held over 15 hearings covering each of the specific cluster issues 
prescribed in the 4 July resolution, drawing on the submissions of both EU and US experts 
representing a wide range of knowledge and backgrounds: EU institutions, national 
parliaments, US congress, academics, journalists, civil society, security and technology 
specialists and private business. In addition, a delegation of the LIBE Committee visited 
Washington on 28-30 October 2013 to meet with representatives of both the executive and the 
legislative branch (academics, lawyers, security experts, business representatives)”. A 
delegation of the Committee on Foreign Affairs (AFET) was also in town at the same time. A 
few meetings were held together. 


A series of working documents? have been co-authored by the rapporteur, the shadow- 
rapporteurs* from the various political groups and 3 Members from the AFET Committee? 
enabling a presentation of the main findings of the Inquiry. The rapporteur would like to 
thank all shadow rapporteurs and AFET Members for their close cooperation and high-level 
commitment throughout this demanding process. 


Scale of the problem 


An increasing focus on security combined with developments in technology has enabled 
States to know more about citizens than ever before. By being able to collect data regarding 


























http .europarl.e 
rov(2013)0322 en.pdf 
See Washington delegation report. 
3 See Annex I. i 
^ List of shadow rapporteurs: Axel Voss (EPP), Sophia in't Veld (ALDE), Jan Philipp Albrecht 
(GREENS/ALE), Timothy Kirkhope (EFD), Cornelia Ernst (GUE). 
List of AFET Members: José Ignacio Salafranca Sánchez-Neyra (EPP), Ana Gomes (S&D), Annemie Neyts- 
Uyttebroeck (ALDE). 
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the content of communications, as well as metadata, and by following citizens’ electronic 
activities, in particular their use of smartphones and tablet computers, intelligence services are 
de facto able to know almost everything about a person. This has contributed to a fundamental 
shift in the work and practices of intelligence agencies, away from the traditional concept of 
targeted surveillance as a necessary and proportional counter-terrorism measure, towards 
systems of mass surveillance. 


This process of increasing mass surveillance has not been subject to any prior public debate or 
democratic decision-making. Discussion is needed on the purpose and scale of surveillance 
and its place in a democratic society. Is the situation created by Edward Snowden's 
revelations an indication of a general societal turn towards the acceptance of the death of 
privacy in return for security? Do we facea breach of privacy and intimacy so great that it is 
possible not only for criminals but for IT companies and intelligence agencies to know every 
detail of thelife of a citizen? Is it a factto be accepted without further discussion? Or is the 
responsibility of the legislator to adapt the policy and legal tools at hand to limit the risks and 
prevent further damages in case less democratic forces would come to power? 


Reactions to mass surveillance and a public debate 


The debate on mass surveillance does not take place in an even manner inside the EU. In fact 
in many Member States there is hardly any public debate and media attention varies. Germany 
seems to be the country where reactions to the revelations have been strongest and public 
discussions as to their consequences have been widespread. In the United Kingdom and 
France, in spite of investigations by The Guardian and Le Monde, reactions seem more 
limited, a fact that has been linked to the alleged involvement of their national intelligence 
services in activities with the NSA. The LIBE Committee Inquiry has been in a position to 
hear valuable contributions from the parliamentary oversight bodies of Belgian, the 
Netherlands, Denmark and even Norway; however the British and French Parliament have 
declined participation. These differences show again the uneven degree of checks and 
balances within the EU on these issues and that more cooperation is needed between 
parliamentary bodies in charge of oversight. 


Following the disclosures of Edward Snowden in the mass media, public debate has been 
based on two main types of reactions. On the one hand, there are those who deny the 
legitimacy of the information published on the grounds that most of the media reports are 
based on misinterpretation; in addition many argue, whilenot having refuted the disclosures, 
the validity of the disclosures made due to allegations of security risks they cause for national 
security and the fight against terrorism. 


On the other hand, there are those who consider the information provided requires an 
informed, public debate because of the magnitude of the problems it raises to issues key to a 
democracy including: the rule of law, fundamental rights, citizens' privacy, public 
accountability of law-enforcement and intelligence services, etc. This is certainly the case for 
the journalists and editors of the world’s biggest press outlets who are privy to the disclosures 
including The Guardian, Le Monde, -Der Spiegel, The Washington Post and Glenn 
Greenwald. 


The two types of reactions outlined above are based on a set of reasons which, if followed, 
may lead to quite opposed decisions as to how the EU should or should not react. 
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3 reasons not to act 


— The ‘Intelligence/national security argument’: no EU competence 


Edward Snowden's revelations relate to US and some Member States' intelligence 
activities, but national security is a national competence, the EU has no competence in 
such matters (except on EU internal security) and therefore no action is possible at EU 
level. l 


_ The ‘Terrorism argument’: danger of the whistleblower . 


Any follow up to these revelations, or their mere consideration, further weakens the - 


security of the US as well as the EU as it does not condemn the publication of documents 
the content of which even if redacted as involved media players explain may give valuable 
information to terrorist groups. 


— The ‘Treason argument: no legitimacy for the whistleblower 


As mainly put forward by some in the US and in the United Kingdom, any debate 
launched or action envisaged further to E. Snowden's revelations is intrinsically biased 
and irrelevant as they would be based on an initial act of treason. 


= The ‘realism argument’: general strategic interests 


Even if some mistakes and illegal activities were to be confirmed, they should be balanced 
against the need to maintain the special relationship between the US and Europe to 
preserve shared economic, business and foreign policy interests. 


— The ‘Good government argument’: trust your government 


US and EU Governments are democratically elected. In the field of security, and even 
when intelligence activities are conducted in order to fight against terrorism, they comply 
with democratic standards as a matter of principle. This ‘presumption of good and lawful 
governance’ rests not only on the goodwill of the holders of the executive powers in these 
states but also on the checks and balances mechanism enshrined in their constitutional 
systems. ' 


As one can see reasons not to act are numerous and powerful. This may explain why most EU 
governments, after some initial strong reactions, have preferred not to act. The main action by 
the Council of Ministers has been to set up a ‘transatlantic group of experts on data 
protection' which has met 3 times and put forward a final report. A second group is supposed 
to have met on intelligence related issues between US authorities and Member States? ones 


but no information is available. The European Council has addressed the surveillance problem 


in a mere statement of Heads of state or government!, Up until now only a few national 





' European Council Conclusions of 24-25 October 2013, in particular: 'The Heads of State or Government took 
note of the intention of France and Germany to seek bilateral talks with the USA with the aim of finding before 
the end of the year an understanding on mutual relations in that fiekL They noted that other EU countries are 
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parliaments have launched inquiries. 


5 reasons to act 


The ‘mass surveillance argument’: in which society do we want to live? 


Since the very first disclosure in June 2013, consistent references have been made to 
George's Orwell novel ‘1984’. Since 9/11 attacks, a focus on security and a shift towards 
targeted and specific surveillance has seriously damaged and undermined the concept of 
privacy. The history of both Europe and the US shows us the dangers of mass surveillance 
and the graduation towards societies without privacy. 


The 'fundamental rights argument': 


Mass and indiscriminate surveillance threaten citizens? fundamental rights including right 
to privacy, data protection, freedom of press, fair trial which are all enshrined in the EU 
Treaties, the Charter of fundamental rights and the ECHR. These rights cannot be 
circumvented nor be negotiated against any benefit expected in exchange unless duly 
provided for in legal instruments and in full compliance with the treaties. 


The ‘EU internal security argument’: 


National competence on intelligence and national security matters does not exclude a 
parallel EU competence. The EU has exercised the competences conferred upon it by the 
EU Treaties in matters of internal security by deciding on a number of legislative 
instruments and international agreements aimed at fighting serious crime and terrorism, on 
setting-up an internal security strategy and agencies working in this field. In addition, 
other services have been developed reflecting the need for increased cooperation at EU 
level on intelligence-related matters: INTCEN (placed within EEAS) and the Anti- 
terrorism Coordinator (placed within the Council general secretariat), neither of them with 
a legal basis. . 


The ‘deficient oversight argument’ 


While intelligence services perform an indispensable function in protecting against 
internal and external threats, they have to operate within the rule of law and to do so must 
be subject to a stringent and thorough oversight mechanism. The democratic oversight of 
intelligence activities is conducted at national level but due to the international nature of 
security threats there is now a huge exchange of information between Member States and 
with third countries like the US; improvements in oversight mechanisms are needed both at 
national and at EU level if traditional oversight mechanisms are not to become ineffective 
and outdated. 


The ‘chilling effect on media’ and the protection of whistleblowers 


The disclosures of Edward Snowden and the subsequent media reports have highlighted the 





welcome to join this initiative. They also pointedto the existing Working Group between the EU and the USA 
on the related issue of data protection and called for rapid and constructive progress in that respect’, 
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pivotal role of the media in a democracy to ensure accountability of Governments. When 
supervisory mechanisms fail to prevent or rectify mass surveillance, the role of media and 
whistleblowers in unveiling eventual illegalities or misuses of power is extremely important. 
Reactions from the US and UK authorities to the media have shown the vulnerability of both 
the press and whistleblowers and the urgent need to do more to protect them. 


The European Union is called on to choose between a ‘business as usual’ policy (sufficient 
reasons not to act, wait and see) and a ‘reality check’ policy (surveillance is not new, but there 
is enough evidence of an unprecedented magnitude of the scope and capacities of intelligence 
agencies requiring the EU to act). 


Habeas Corpus in a Surveillance Society 


In 1679 the British parliament adopted the Habeas Corpus Act as a major step forward in 
securing theright to a judge in times of rival jurisdictions and conflicts of laws. Nowadays 
our democracies ensure proper rights for a convicted or detainee who is in person physically 
subject to a criminal proceeding or deferred to a court. But his or her data, as posted, 
processed, stored and tracked on digital networks form a ‘body of personal data’, a kind of 
digital body specific to every individual and enabling to reveal much of his or her identity, 
habits and preferences of all types. i 


Habeas Corpus is recognised as a fundamental legal instrument to safeguarding individual 
freedom against arbitrary state action. What is needed today is an extension of Habeas Corpus 
to the digital era. Right to privacy, respect of the integrity and the dignity of the individual are 
at stake. Mass collections of data with no respect for EU data protection rules and specific 
violations of the proportionality principle in the data management run counter to the 
constitutional traditions of the Member States and the fundaments of the European 
constitutional order. 


The main novelty today is these risks do not only originate in criminal activities (against 
which the EU legislator has adopted a series of instruments) or from possible cyber-attacks 
from governments of countries with a lower democratic record. There is a realisation that such 
risks may also come from law -enforcement and intelligence services of democratic countries 
putting EU citizens or companies under conflicts of laws resulting in a lesser legal certainty, 
with possible violations of rights without proper redress mechanisms. 


Governance of networks is needed to ensure the safety of personal data. Before modern states 
developed, no safety on roads or city streets could be guaranteed and physical integrity was at 
risk. Nowadays, despite dominating everyday life, information highways are not secure. 
Integrity of digital data must be secured, against criminals of course but also against possible 
abuse of power by state authorities or contractors and private companies under secret judicial 
warrants. 


LIBE Committee Inquiry Recommendations 


Many of the problems raised today are extremely similar to those revealed by the European 
Parliament Inquiry on the Echelon programme in 2001. The impossibility for the previous 
legislature to follow up on the findings and recommendations of the Echelon Inquiry should 
serve as a key lesson to this Inquiry. It is for this reason that this Resolution, recognising both 


PE526.085«92v03-00 52/66 PR-034703bENRRM 0207 13 EN. doc 


424 





MAT A BMI-1-11e_12.pdf, Blatt 429 


the magnitude of the revelations involved and their ongoing nature, is forward planning and 
ensures that there are specific proposals on the table for follow up action in the next 
Parliamentary mandate ensuring the findings remain high on the EU political agenda. 


Based on this assessment, therapporteur would like to submit to the vote of the Parliament the 
following measures: 


‘A European Digital Habeas corpus fer- protecting privaeyfundamental rights in a 
digital age* based on 78 actions: 


Action 1: Adopt the Data Protection Package in 2014; 


Action 2: Conclude the EU-US Umbrella agreementAgreement guaranteeing the«1-—— 


fundamental right of citizens to privacy and data protection and ensuring proper 


redress mechanisms for EU citizens, including in easethe event of data transfers from 





the EU to the US for law-enforcement purposes; 





l purposes f e the edied. to the USc can ha um take siasa in compliance with ‚highest EU 
standards; 





2013 have been properly addressed; 


Action 5: Evaluate any agreement, mechanism or exchange with third countries 
involving personal data in order to ensure that the right to privacy and to the protection 
of personal data are not violated due to surveillance activities and take necessary 


follow-up actions; 


Action 6: Protect the rule of law and the fundamental rights of EU citizens, witha- 


particular fecus-en(including from threats to the freedom of the press), the right of the 
public to receive impartial information and professional confidentiality (including 


lawyer-client relations) as well as enhanced protection for whistleblowers; 


Action 67: Develop a European strategy for greater IT independence (a ‘digital new 
deal’ including the allocation of adequate resources at national and EU level}) to 
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boost IT industry and allow European companies to exploit the EU privacy 


competitive advantage: 


Action 28: Develop the EU as a reference player for a democratic and neutral 
governance of Internetthe internet; 





After the conclusion of the Inquiry the European Parliament should continue acting as EU 
citizens’ rights watehdegadvocate with the following timetable to monitor implementations: 
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e  April-July 2014: a monitoring group based on the LIBE Inquiryinquiry team — «——— 
responsible for monitoring any new revelations in-the-medie-concerning the 
Inquiriesinguiry's mandate and scrutinising the implementation of this 
resolution; 
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i | e July 2014 onwards: a standing oversight mechanism for data transfers iid - 
e judicial remedies within the competent committee; 


e Spring 2014:a formal call on the European Council to include the ‘European asi Formatiert: Links, Einzug: Hängend: 
Digital Habeas Corpus - protecting fundamental rights in a digital age’- in the OS en 
guidelines to be adopted under Article 68 TFEU; ; 
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e Autumn 2014: a commitment that the ‘European Digital Habeas Corpus - 


protecting fundamental rights in a digital age` and related recommendations 


will serve as key criteria for the approval of the next Commission; 





“1572 conference gatheringbringing together high- level European FEIN. 


; experts in the various fields conducive to IT security (including mathematics, 
| cryptography; and privacy-enhancing technologies;——J)) to help foster an EU 
e IT strategy for the next legislature; 


e 2014-2015: a Trust/Data/Citizens’ Rights group to be convened on a regular em Formatiert: Einzug: Hängend: 0,75 
s; cm 


basis between the European Parliament and the US Congress, as well as wi 
other committed third-country parliaments, including Brazil; í 






Formatiert: Links, Einzug: Links: 1,7: 
cm, Hängend: 0,75 cm, Aufgezählt + 
Ebene: 1 + Ausgerichtet an: 0,63 cm 
+ Einzug bei: 1,27 cm, Tabstopps: 

Nicht an 0,63 cm 


2 *4— —2014—2015. a conference with—Eurepean—intelligence oversight bodies—of 






















2014-2015: a conference with the intellig ence Cc 


‘national parliaments; 


ET Formatiert: PageHeading, Links, 
AbstandVor: 0 Pt, Nach: 0 Pt, Vom 
nächsten A bsatz trennen 
PE526.085402v03-00 54/66 RRG-OHZ03EN RRM 0207 13 EN.doc 


EN 





MAT A BMI-1-11e_12.pdf, Blatt 431 


427 


ANNEX I: LIST OF WORKING DOCUMENTS 


LIBE Committee Inquiry 





Mr Moraes US and EU Member Surveillance programmes and 
(S&D) their impact on EU citizens fundamental rights 


Mr Voss US surveillance activities with respectto EU data and 
its possible legal implications on transatlantic 
(EPP) agreements and cooperation 
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Mass Surveillance of EU Citizens 
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ANNEX I: LIST OF HEARINGS AND EXPERTS 


LIBE COMMITTEE INQUIRY 
ON US NSA SURVEILLANCE PROGRAMME, 
SURVEILLANCE BODIES IN VARIOUS MEMBER STATES 
AND THEIR IMPACT ON EU CITIZENS’ FUNDAMENTAL RIGHTS AND ON 
TRANSATLANTIC COOPERATION IN JUSTICE AND HOME AFFAIRS 


Following the European Parliament resolution of 4th July 2013 (para. 16), the LIBE 
Committee has held a series of hearings to gather information relating tbe different aspects at 
stake, assess the impact of the surveillance activities covered, notably on fundamental rights 
and data protection rules, explore redress mechanisms and put forward recommendations to 
protect EU citizens’ rights, as well as to strengthen IT security of EU Institutions. 


5" September l 

2013 15.00— | - Exchange of views with the Jacques FOLLOROU, Le 

18.30 (BXL) | journalists unveiling the case and Monde 

having made public the facts Jacob APPELBAUM, 
investigative journalist, 
software developer and 
computer security researcher 
with the Tor Project 
Alan RUSBRIDGER, Editor- . 
.in-Chief of Guardian News 

and Media (via 
videoconference) 


Carlos COELHO (MEP), 
- Follow-up of the Temporary former Chair of the Temporary 
Committee on the ECHELON Committee on the ECHELON 
Interception System Interception System 
Gerhard SCHMID (former 
MEP and Rapporteur of the 
ECHELON report 2001) 
Duncan CAMPBELL, 
investigative journalist and 
author of the STOA report 
*Interception Capabilities 
2000' 
12" September | - Feedback of the meeting of the e Darius ZILYS, Council - 
2013 EU-US Transatlantic group of Presidency, Director 
10.00— 12.00. | experts on data protection of 19/20 International Law Department, 
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(STR) September 2013 - working method 
and cooperation with the LIBE 


Committee Inquiry (In camera) 


Lithuanian Ministry of Justice 

(co-chair of the EU-US ad hoc 

working group on data 
protection) 

e Paul NEMITZ, Director DG 
JUST, European Commission : 
(co-chair of the EU-US ad hoc 
working group on data 
protection) 

e Reinhard PRIEBE, Director DG 

HOME, European Commission 

(co-chair of the EU-US ad hoc 

working group on data 

protection) 














































- Exchange of views with Article 
29 Data Protection Working Party 












Jacob KOHNST AMM, 
Chairman 








24" September | - Allegations of NSA tapping into Cecilia MALMSTROM, 
2013 9.00— the SWIFT data used in the TFTP Member of the European 
11.30 and programme Commission 
15.00 - 18h30 e . Rob WAINWRIGHT, Director 
(BXL) .. of Europol 

: e Blanche PETRE, General 
With AFET Counsel of SWIFT 




















- Feedback of the meeting of the 
EU-US Transatlantic group of 
experts on data protection of 19/20 
September 2013 


Darius ZILYS, Council 
Presidency, Director 
International Law Department, 
Lithuanian Ministry of Justice 
(co-chair of the EU-US ad hoc 
working group on data 
protection) 

e Paul NEMITZ, Director DG 
JUST, European Commission 
(co-chair of the EU-US ad hoc 
working group on data 
protection) 

e Reinhard PRIEBE, Director DG 
HOME, European Commission 
(co-chair of the EU-US ad hoc 
working group on data 
protection). 

e Jens-Henrik JEPPESEN, 
Director, European Affairs, 
Center for Democracy & 
Technology (CDT) 

Greg NOJEIM, Senior Counsel 





























- Exchange of views with US Civil . 
Society (part I) 
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16.00 to 18.30 
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- Effectiveness of surveillance in 
fighting crime and terrorism in 
Europe 


- Presentation ofthe study on the 
US surveillance programmes and 
their impact on EU citizens' 
privacy ; 


- Exchange of views with US Civil 
Society (Part IT) 


- Whistleblowers’ activities inthe 
field of surveillance and their legal 
protection — 


| - Allegations of ‘hacking’ / tapping 
into the Belgacom systems 

by intelligence services (UK 
GCHQ) 


58/66 


and Director of Project on 
Freedom, Security & 
Technology, Center for 
Democracy & Technology 
(CDT) (via videoconference) 


Dr Reinhard KREISSL, 
Coordinator, Increasing 
Resilience in Surveillance 
Societies (IRISS) (via 
videoconference) 


Caspar BOWDEN, Independent 


. researcher, ex-Chief Privacy 


Adviser of Microsoft, author of 
the Policy Department note 
commissioned by the LIBE 
Committee on the US 
surveillance programmes and 
their impact on EU citizens’ 


Marc ROTENBERG, Electronic 
Privacy Information Centre 
(EPIC) 

Catherine CRUMP, American 
Civil Liberties Union (ACLU) 


Statements by whistleblowers: 


h 


Thomas DRAKE, ex-NSA 
Senior Executive 

J. Kirk WIEBE, ex-NSA Senior 
analyst 

e Annie MACHON, ex-MI5 _ 


Intelligence officer — 





Statements by NGOs on legal 


protection of whistleblowers: 
Jesselyn RADACK, lawyer and 
representative of 6 
whistleblowers, Government 
Accountability Project 
Jobn-DEVITT, Transparency 
International Ireland 

Mr Geert STANDAERT, Vice 
President Service Delivery 
Engine, BELGACOM S.A. 

Mr Dirk LYBAERT, Secretary 
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7” October 
2013 19.00 - 
21.30 (STR) 


- Impact of us surveillance 
programmes on the us safe harbour 


. 
4. 


. 
án. 


- impact of us surveillance 
programmes on other instruments 
for international transfers 
(contractual clauses, binding 


- Electronic Mass Surveillance of 
EU Citizens and International, 


14? October 
2013 15.00 - 
18.30 (BXL) 


Council of Europe and 


EU Law 


- Court cases on Surveillance 
Programmes 
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€ Mr Frank ROBBEN, — 
Commission de la Protection de 
la Vie Privée Belgique, co- 
rapporteur ‘dossier Belgacom’ 

«, Dr; Imke SOMMER, Die 
Landesbeauftragte für 
Datenschutz und 
Informationsfreiheit der Freien 
Hansestadt Bremen 







nude. 


Peter HUSTINX, European Data 


Protection Supervisor (EDPS) 
Ms- Isabelle FALQUE- 


PIERROTIN, President of CNIL 
(FRANCE) | 


Martin SCHEININ, Former UN 
Special Rapporteur on the 
promotion and protection of 
human rights while countering 
terrorism, Professor European 
University Institute and leader of 
the FP7 project ‘SUR VEILLE’ 


Judge Bostjan ZUPANCIC, 
Judge at the ECHR (via 
videoconference) 


Douwe KORFF, Professor of 
Law, London Metropolitan 
University 


Président of the ‘Ligue des 
Droits de l’ Homme’ (LDH) 


— P 
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Scientist, Project Leader at 

Forschungszentrum für Kultur 
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- Therole of EU IntCen in EU 
Intelligence activity (in Camera) 







7" November 
2013. 

9.00— 11.30 
and 15.00 - 

| 18h30 (BXL) 


Mr Ilkka SALMI, Director of EU 
Intelligence Analysis Centre 
(IntCen) 



















- National programmes for mass 
surveillance of personal data in EU 


Dr- Sergio CARRERA, Senior 
Research Fellow and Head of the 













Member States and their JHA Section, Centre for 
compatibility with EU law European Policy Studies (CEPS), 
Brussels 
— o Dr;FrancescoRAGAZZI, _ | _.-~-(Formatiert: Italienisch qtalien) — — 
Assistant Professor ın "= Far matiert: Italienisch (Italien) 











International Relations, Leiden 


University if Formatiert: Schriftart: Times New 
Roman, Italienisch (Italien) 


* Mr lain CAMERON, Member of | ^ "(Formatiert: Italienisch (Italien) 

-the European Commission for 
Democracy through Law - 
‘Venice Commission’ 

e Mr [Ian LEIGH, Professor of 
Law, Durham University 
e Mr David BICKFORD, Former 

Legal Director of the Security 
and intelligence agencies MI5 
and MI6 — 

e Mr Gus HOSEIN, Executive 

Director, Privacy International 





- The role of Parliamentary 
oversight of intelligence services at 
national Jevel in an era of mass 
surveillance (Part I) 

(Venice Commission) 

(UK) 































- EU-US transatlantic experts group Mr Paul NEMITZ, Director - 


Fundamental Rights and 
Citizenship, DG JUST, European 
Commission 
e Mr Remhard PRIEBE, Director - 
Crisis Management and Internal 
Security, DG Home, European 
Commission 
Mr Jim SENSENBRENNER, US 





































| 11" November | - US surveillance programmes and 








2013 their impact on EU citizens’ House of Representatives, 
15h-18.30 privacy (statement by Mr Jim. (Member of the Committee on 
(BXL) SENSENBRENNER, Member of the Judiciary and Chairman of 


the US Congress) the Subcommittee on Crime, 
Terrorism, Homeland Security, 


and Investigations) 












- The role of Parliamentary Mr Peter ERIKSSON, Chair of 
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the Committee on the 












oversight of intelligence services at 






national level in an era of mass Constitution, Swedish 
surveillance (NL, SW))(Part IT) Parliament (Riksdag) 
e Mr A.H. VAN DELDEN, Chair 
ofthe Dutch independent 






Review Committee on the 
Intelligence and Security 
Services (CTIVD 





















- US NSA programmes for 
electronic mass surveillance and 


Ms Dorothee BELZ, Vice- 
President, Legal and Corporate 








the role of IT Companies Affairs Microsoft EMEA 
(Microsoft, Google, Facebook) (Europe, Middle East and 
Africa) 
e Mr Nicklas LUNDBLAD, 
Director, Public Policy and 






Government Relations, Google 
e Mr Richard ALLAN, Director 
EMEA Public Policy, Facebook 













14" 








November 











- IT Security of EU institutions —. e Mr Giancarlo VILELLA, 










2013 15.00- | (Part I) (EP, COM (CERT-EU), Director General, DG ITEC, 
18.30 (BXL) | (eu-LISA) European Parliament . 
With AFET e Mr Ronald PRINS, Director and 






co-founder of Fox-IT 
Mr Freddy DEZEURE, head of 
task force CERT-EU, DG 
DIGIT, European Commission 
e Mr Luca ZAMPAGLIONE, 
Security Officer, eu-LISA 























- Therole of Parliamentary 
oversight of intelligence services at 
national level in an era of mass 
surveillance (Part IIT) (BE, DA) 








Mr Armand DE DECKER, Vice- 
Chair of the Belgian Senate, 
Member of the Monitoring 
Committee of the Intelligence 
Services Oversight Committee 
Mr Guy RAPAILLE, Chair of 
the Intelligence Services 
Oversight Committee (Comité 
R) 

e Mr Karsten LAURITZEN, 
Member of the Legal Affairs 
Committee, Spokesperson for 
Legal Affairs — Danish Folketing 


18? November | - Court cases and other complaints e Dr Adam BODNAR, Vice- 
2013 19.00— | on national surveillance programs President of the Board, Helsinki 
21.30(STR) | (Part IT) (Polish NGO) Foundation for Human Rights 
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- Therole of Parliamentary 
oversight of intelligence services at 
national level in an era ofmass 

surveillance (Part IV) (Norway) 


Mr Michael TETZSCHNER, 
member of The Standing 
Committee on Scrutiny and 
Constitutional Affairs, Norway 
Stortinget 
Mr Olivier BURGERSDIJK, 







2013 15.00- 
18.30 (BXL) 














- IT Security of EU institutions 










2013, 15.00— | (Part II) Head of Strategy, European 
18.30 (BXL) Cybercrime Centre, EUROPOL 
e Prof. Udo HELMBRECHT, 
Executive Director of ENISA 









e Mr Florian WALTHER, 
Independent IT-Security 
consultant 

e Mr Jonathan GOLDSMITH, 

Secretary General, Council of 

Bars and Law Societies of 

Europe (CCBE 

e Ms Viviane REDING, Vice 

President of the European 

Commission 













- The impact of mass surveillance 
on confidentiality of lawyer-client 
relations 



















- Rebuilding Trust on EU-US Data 
flows 




















- Council of Europe Resolution Mr Arcadio DÍAZ TEJERA, 


1954 (2013) on *National security Member of the Spanish Senate, - 
and access to information' Member of the Parliamentary 
Assembly of the Council of 






Europe and Rapporteur on its 
Resolution 1954 (2013) on 
"National security and access to 
information' 
Ms Vanessa GRAZZIOTIN, 
Chair of the Parliamentary 
Committee of Inquiry on 
Espionage 
© Mr Ricardo DE REZENDE 
FERRACO, Rapporteur ofthe 
Parliamentary Committee of 
Inquiry on Espionage 






















Parliamentary Committee of 
Inquiry on Espionage of the 
Brazilian Senate 

(Videoconference) 



















IT means of protecting privacy Mr Bart PRENEEL, Professor in 


Computer Security and Industrial 
Cryptography in the University 
KU Leuven, Belgium 
e Mr Stephan LECHNER, 
Director, Institute for the 
Protection and Security of the 
Citizen (IPSC), - Joint Research 
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Exchange of views on the Russian 
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2014 (BXL) 
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Centre(JRC), European 
Commission 

Dr- Christopher SOGHOIAN, 
Principal Technologist, Speech, 
Privacy & Technology Project, 
American Civil Liberties Union 
Christian HORCHERT, IT- 
Security Consultant, Germany 


Mr Glenn GREENWALD, 
Author and columnist with a 
focus on national security and 
eivil liberties, formerly ofthe 
Guardian 


Mr Andrei Soldatov 


investigative journalist, an editor 
of Agentura.ru 
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ANNEX Ill: LIST OF EXPERTS WHO DECLINED PARTICIPATING IN THE LIBE 


INQUIRY PUBLIC HEARINGS > —| Formatiert: Schriftart: Nicht Fett 


1. Experts who declined the LIBE Chair’s Invitation 


e Mr Keith Alexander, General US Army, Director NSA! 
e Mr Robert S. Litt, General Counsel, Office of the Director of National Intelligence? 


e Mr Robert A. Wood, Chargé d’affaires, United States Representative to the European 
Union 


United Kingdom 


e Sir Iain Lobban, Director of the United Kingdom's Government Communications 
Headquarters (GCHQ) 


wl Formatiert: Französisch (Frankreich) 


*, .M. Bajolet, Directeur général de la Sécurité Exterieure, France — — — — “| Formatiert: Französisch (Frankreich) 


. _M. Calvar, Directeur Central de la Sécurité Intérieure, France ie { Formatiert: Französisch (F rankreich) 


al Formatiert: Deutsch (Deutschland) 
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e Mr Ronald Plasterk, Minister of the Interior and Kingdom Relations, the Netherlands 
e Mr Ivo Opstelten, Minister of Security and Justice, the Netherlands 


Poland 


e Mr Dariusz Luczak, Head of the Internal Security Agency of Poland 
e Mr Maciej Hunia, Head of the Polish Foreign en Agency 





- The Rapporteur met with Mr Alexander together with Chairman Brok and Senator Feinstein in W ashington on 
29® October 2013. 
? The LIBE delegation met with Mr Litt in Washington on 299 October 2013. 
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Private IT Companies 


EU Telecommunication Companies 


,. Ms Doutriaux, Orange 


Tekedra N. Mawakana, Global Head of Public Policy and Deputy General Counsel, 
Yahoo 


Dr Saskia Horsch, Senior Manager Public Policy, Amazon 





Mr Larry Stone, President Group Public & een Affairs British Telecom, UK 
Telekom, Germany 


Vodafone 








Experts who did not respond to the LIBE Chair's Invitation 


Netherlands 





*,. Mr Rob Bertholee, Directeur Algemene Inlichtingen en Veiligheidsdienst (AIVD) _ 


Sweden 


Mr Ingvar Ákesson, National Defence Radio Establishment 
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RESULT OF FINAL VOTE IN COMMITTEE 


Result of final vote 


Members present for the final vote . | Jan Philipp Albrecht, Roberta Angelilli, Mario Borehezio, Rita 
Borsellino, Arkadiusz Tomasz Bratkowski, Philip Claeys, Carlos 


elho, A in Díaz de Mera reia Consue ra loan Enciu, Frank 
N A * vie 
lvatore Iacoli ivia Járók Jiménez- il 


Barrio, Timothy Kirkhope, Juan Fernando TS Aguilar, Monica Luisa 


covei, Svetoslav Hristov Malinov, Véronique Mathi i] 


e Antbea McIntyre, Nuno Melo, Louis Michel, Claude Moraes, Antigoni 


oulo rgios Papanikol Judi Sar ni Birgit Si 
Csaba Sógor, Rui Tavares. Axel Voss, Tatjana Zdanoka, Auke Zijlstra 


Substitute(s) present for the final vote Alexander Alvaro, Anna Maria Corazza Bildt, Monika Hohlmeier, 


nimir | iana Malinova lotova Jean be arıan-] 


Marinescu, Jan Mulder, Siiri Oviir, Salvador Sedó i Alabart 


ubstitute(s) under Rule 187 esent ichar rth, Phil Bennion, Francoi tex, Jür 
for the final vote Creutzmann, Christian Ehler, Knut Fleckenstein, Carmen Fraga 
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Dokument 2014/0127148 
Von: Mantz, Rainer, Dr. 
Gesendet: Freitag, 14. März 2014 16:45 
An: SVITD_ 
Cc: Schallbruch, Martin; Batt, Peter; ITD_; Werth, Sören, Dr.;RegIT3 
Betreff: WG: Minister USA-Reise —hierIT-Roundtable 
An 
Herrn IT-D 
über 
Herrn SV IT-D 
Herrn RLIT3 [Ma 140314] 
o Betreff: Minister USA-Reise-hier IT-Roundtable 


Es wird der bisherige Stand der Minister Vorlage zum IT-Roundtable am 21. Mai in Washington, D.C. 
sowie die Ablaufplanung von Gil 1 vorgelegt. 
Die PG DS wird noch an der Vorbereitung zum Round-Table beteiligt. 


140314 USA 
Minister .docx 





140313 
Programmskizze ... 


Nach der Rücksprache zur USA-Reise wird die Vorlage finalisiert. 


e . Dr. Werth 
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Anhang von Dokument 2014-0127148.msg 


1. 140314 USA Minister.docx | 3 Seiten 
2. 140313 Programmskizze Min USA 19-21 Mai 2014.docx 2 Seiten 


1) 
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Referat IT 3 


IT3-20403/2#6 


RefL: Dr. Dürig/ Dr. Mantz 
Ref: Dr. Werth 


Herrn Minister 


über 


Frau Staatssekretärin Rogall-Grothe 


Herm IT-D 
Herm SV IT-D 
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Berlin, den 14. März 2014 
Hausruf: 1374 / 2308 


Abdruck(e): 


AG/Referat(e) ... hatfhaben mitgezeichnet/nicht mitgezeichnet; ggf. Hinweis auf 


die Beteiligung anderer Ministerien. 


Betr.: Roundtable mit IT-Unternehmen am 21. Mai 2014 in Washington, D.C. 


1. Votum 
Billigung. 


2. Sachverhait 


Für Ihre USA-Reise vom 19. -21. Mai 2014 wird ein Roundtable mit US IT- 


Unternehmen geplant. 


Die Veróffentlichungen zur NSA seit Sommer 2013 haben das Vertrauen in das 
Internet erschüttert Dies gilt sowohl für die Produkte (Hard- und Software) als 
auch für die Dienstleistungsangebote (Cloud-Angebote, soziale Netzwerke, On- 
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line-Shops, ...) der IT-Unternehmen. Dementsprechend bietet sich Vertrauen 
als Thema mit allen Beteiligten der IT-Industrie an. 


In bilateralen Gespráchen von RL IT 3 am Rande der RSA Conference 2014 mit 


Vertretern von MENS und Bde bekannt, dass CEOs der US-IT- 
Unternehmen am 20. und 21. Mai 2014 in Washington sind, wohl um mögliche 
. negative wirtschaftliche Folgen in Europa insbesondere ror NR P 
naa zu erörtern. 


Nach bisherigen Planungen ist vorgesehen, dass der Termin auch genutzt wer- 
den soll, um Ihre Zuständigkeit für Datensicherheit und Datenschutz deutlich 


nach außen zu kommunizieren. 


: Stellungnahme . 

Für den Roundtable wird vorgeschlagen, die mógliche Anwesenheit der Indust- 
rie Zu nutzen und IT-Sicherheit mit Vertretern aller betroffenen Sparten der US- 
Industrie zu diskutieren. So kónnte neben der Datensicherheit auch der Daten- 


schutz als Schwerpunkt adressiert werden. 


Für den Roundtable sind 90 Minuten eingeplant. Deshalb sollten maximal sie- 
ben Unternehmen an der Veranstaltung teilnehmen, damit jeweils eine Redezeit 
von ca. 10 Minuten bleibt. Es ist mit Absagen zu rechnen, und deshalb wird fol- 
gende Einladungsliste vorgeschlagen: 

. SEE: ^e: von Betriebssystemen, Cloud Computing) 

. EB Sicherheit von Betriebssystemen, Cloud Computing, sozialer 

Telemediendienst) 

° GFP ehit von Betriebssystemen, Cloud Computing) 

° Elio s. ‘Cloud Computing) 
GED: 0zcier Telemediendienst) | 
AE ozialer Telemediendienst) 
MP acai Telemediendienst) 
° GE vier-Herstelier) 


BE erede: für Sicherheits-Software) 
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Mit diesen Unternehmen werden die Sicherheit der Anwender und der Daten- 


schutz im Fokus der Diskussion stehen. Ihre Kernbotschaften an die Unterneh- ` 


men kónnten sein: 

e Großer Vertrauensverlust in Deutschland 

e Bedeutung des Datenschutzes in Deutschland i 

e Angebot über intemationale Standards und nationale Zertifizierung bei 
der Rückgewinnung des Vertrauens zu unterstützen. 

e Aber dazu sind Anstrengungen und Entgegenkommen an unsere Anfor- 
derungen der US-Industrie notwendig. 

e Welche möglichen Maßnahmen haben die Unternehmen bereits identifi- 
ziert? 


Dr. Dürig / Dr. Mantz Dr. Werth 
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Dokument 2014/0128482 
Von: Treib, Heinz Jürgen 
Gesendet: Montag, 17. März 2014 11:23 
An: Mantz, Rainer, Dr. 
Cc: RegIT3; Spatschke, Norman 
Betreff: AW: For your consideration, an announcement from the US 


Government 
In derAngelegenheit habe im BMWI (Hr. Schéttnertelefoniert): 


Was USA hier macht, ist fir uns offenbar nicht von allzu großer Bedeutung für USA hingegen (insb. 
Republikaner) ist die teilweise ‚Aufgabe der Kontrolle der obersten Internet-Organisation" durch die 
Obama Regierung ein gefährlicher Schritt Richtung Machtübernahme „die bösen“ VN. Für USA gehtauf 
jeden Fall eine Sonderrolleim Bereich Internet Governnance zu Ende! 


Das Thema wird morgen wahrscheinlich im Cyber SR unter Punkt „Brasilienkonferenz“ zumindest 
anklingen. BMWi — Vertreter ist gebrieft, etwas dazu zu sagen. 


Konkrethat USA angekündigt, die Kontrolleüber die Internet Assigned Numbers Authority ( IANA) und 
damit die Rootzone des Domain Name System abzugeben. BMWi -wie offenbar auch Obama- -Regierung- 
sieht diesals Schrittin Richtung globale Selbstverwaltung im Netzim Rahmen eines 
Multistakeholdermodells (also nicht die befürchtete VN -Vereinnahmung der Funktion). 


Hintergrund: 

Bisher erbringt ICANN aufgrund vertraglicher Vereinbarung mit US-Reg. die IANA Funktion. IANA ist das 
Herzstück der Verwaltung mehrerer zentraler Infrastrukturen des Internet. Dazu gehórt die DNS- 
Rootzone mit den Top-Level-Domains (TLDs) wie „.com“ oder länderspezifisch ,.de" oder neue rdings 
auch generisch wie z.B. „.hotel” u.ä.. Es geht auch um die Vergabe von IP-Adressblöcken und von 
Protokollnummern für die Internet Engineering Task Force (IETF). 


Die bisher fir diese Aufsicht zuständige National Telecommunications and Information Administration 
(NTIA) beauftragte jetzt die Internet Corporation for Assigned Names and Numbers (ICANN), einen 
Vorschlag zur Gestaltung des künftigen IANA-Managements zu erarbeiten. ICANN soll dazu mit den 
regionalen Internetverwaltungen, der IETF sowie weiteren Internetorganisationen und der 
Netzöffentlichkeit weltweit zusammenarbeiten. 


Die besondere Rolle der USA bei der Aufsicht über IANA hatte in den vergangenen Jahren zu viel Kritik 
geführt. Zuletzt drángte im NSA-Skandal auch Europa auf Internationalisierung der Internet-Verwaltung. 
Manche Experten sehen die Gefahr, dass andere, weniger liberaleSaaten die Kontrolleerlangen kónnten 
und raten zur Selbstverwaltung der DNS-Rootzone, d.h. Selbstverwaltung bei den Servern zur 
Namensauflósung an der Wurzel des DNS im Internet. BMWi steht auf dem Standpunkt, dass -wenn 
schon ICANN nicht mehr das Sagen hat- zumindest die nationalen Regierungen eine bevorzugte Rolle 
haben müssen. 

Begründung: Niemand soll den nationalen Regierungen vorschreiben können, wieviele Rootserver und 
wo betrieben werden; dies habe was mit Kundenfreundlichkeit zu tun, wenn z.B. südamerikanische 
Anfragen für ,.de" alle nach Sao Paulo zur Auflösung geleitet werden und nichterst nach DEU. Die 
Selbsverwaltung funktioniere und im TKG gebe es auch keine Vorschriften, die die Selbstverwaltung 
behindern. 
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Entnahme wegen fehlenden Bezugs zum 
Untersuchungsgegenstand . : 
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Dokument 2014/0133129 
Von: I3 
Gesendet: Mittwoch, 19. März 2014 11:36 
An: BSI Poststelle; RegiT3 
Cc: IT3_ 
Betreff: USA-Minister: IT-Roundtable 


Liebe Kolleginnen und Kollegen, 


vielen Dank für Ihre Vorschläge zum IT-Roundtable. Anbeifinden Sie dieaktuellen Planungsstand (nach 
Rücksprache mit Herrn Minister). Es wurde insbesondere beschlossen, 
e auf derVeranstaltung die Verantwortung des Ministers für Datensicherheit und Datenschutz zum 
Ausdruck zu bringen, l i ; 
e Vertreter aller Industriezweige einzuladen, 
e das Thema Vertrauen zu wählen und 
e die Industrie aufzufordern, mögliche Maßnahmen zur Rückgewinnung des seit Sommer 2013 
verlorenen gegangenen Vertrauens darzustellen. 


Ich wäre Ihnen dankbar, wenn Sie mirbis zum 4. April DS einen Bericht mit Ideen zu möglichen 
Maßnahmen der US-Industrie zur Wiedergewinnung des Vertrauens erstellen würden. 

Über Vorschläge zur weiteren Plan ung, wie z.B. Einladungsliste, freue ich mich jederzeit. Gern auch 
telefonisch. 


140318 
Min-USA_IT-Rou an 


Mit freundlichen Grüßen 


im Auftrag 
Dr. Sören Werth 


Referat IT 3 
Bundesministerium des Innern 
Alt-Moabit 101D, 10559 Berlin 
Telefon: 030 18681 2676 


E-Mail: soeren.werth@bmi.bund.de 


www.bmibund.de 
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Anhang von Dokument 2014-0133129.msg 


1. 140318 Min-USA_IT-Roundtable.docx l 2 Seiten 
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Referat IT3 
Az.: IT3-17002/1 7#9 18.03.2014 
Bearbeiter: Dr. Werth Tel. 2676 





Hintergrund: 
Für die USA-Reise von Herm Minister vom 19. -21. Mai 2014 wird ein Roundtable mit 
US IT-Unternehmen geplant. 


e Die Veróffentlichungen zur NSA seit Sommer 2013 haben das Vertrauen in 
das Internet erschüttert. Dies gilt sowohl für die Produkte (Hard- und Software) 
als auch für die Dienstleistungsangebote (Cloud-Angebote, soziale Netzwerke, 
Online-Shops, ...) der IT-Unternehmen. Dementsprechend bietet sich Ver- 
trauen als Thema mit allen Beteiligten der IT-Industrie- an. 

e In bilateralen Gesprächen von RL IT 3 am Rande der RSA Conference 2014 
mit Vertretern I Uu Uu bekannt, dass CEOs der US-IT- 
Unternehmen am 20. und 21. Mai 2014 in Washington sind, wohl um mógliche 


negative wirtschaftliche Folgen in Europa insbesondere für ay 
rn E 


e Der Termin soll auch genutzt werden, um die Zuständigkeit des Bundesminis- 
ters des Innern für Datensicherheit und Datenschutz deutlich nach außen zu 


kommunizieren. 


Planungsstand: 

Für den Roundtable ist vorgesehen, die mógliche Anwesenheit der Industrie zu nut- 
zen und IT-Sicherheit mit Vertretern aller betroffenen Sparten der US-Industrie zu 
diskutieren. So kann neben der Datensicherheit auch der Datenschutz als Schwer- 


punkt adressiert werden. 
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Für den Roundtable sind 90 Minuten eingeplant. Deshalb sollten maximal sieben Un- 
ternehmen an der Veranstaltung teilnehmen, damit jeweils eine Redezeit von ca. 10 
Minuten bleibt. Es ist mit Absagen zu rechnen, und es wird bisher mit folgender Ein- 
ladungsliste geplant: | | 

° EBENE... Cloud Computing) _ 
GBS etricbssysteme, Cloud Computing, sozialer Telemediendienst) 
CEB etiebssysteme, Cloud Computing) 
GEE niine-Shop, Cloud Computing) 
BE 0 zialer Telemediendiens!) 


° NN... Telemediendienst) 
EB ozialer Telemediendienst) 
° BB outer-Hersteller) 


e ERE für Sicherheits-Software) 


Mit diesen Unternehmen werden die Sicherheit der Anwender und der Datenschutz 

















im Fokus der Diskussion stehen. Die Kembotschaften des Ministers an die Unter- 
nehmen kónnten sein: i 

e Großer Vertrauensverlust in Deutschland 

e Bedeutung des Datenschutzes in Deutschland 


e Angebot über internationale Standards und nationale Zertifizierung bei der 


T 


Rückgewinnung des Vertrauens zu unterstützen. 
e Aber dazu sind Anstrengungen und Entgegenkommen an unsere Anforderun- 
gen der US-Industrie notwendig. 


e Welche möglichen Maßnahmen haben die Unternehmen bereits identifiziert? 
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Von: Dürig, Markus, Dr. 


Gesendet: Mittwoch, 21. August 2013 17:44 

An: Mantz, Rainer, Dr.; RegIT3 

Cc: Dimroth, Johannes, Dr.; Treib, Heinz Jürgen 

Betreff: WG: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 
Wichtigkeit: Hoch 

zK 


Ursprüngliche Nachricht--—- 
Von: Dürig, Markus, Dr. 
Gesendet: Mittwoch, 21. August 2013 17:43 
An: Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin 
. Betreff: WG: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 
| Nichtigkeit: Hoch 


Lieber Herr Franssen, 

ich unterstütze den Vorschlag nachdrücklich - zumal Stn RG und H Daniel schon mehrfach zusammen getroffen sind. 
Wir sollten auf gar keinen Fall dem AA das Feld überlassen. 

Antworten Sie? 

Besten Gruß 

Markus Dürig 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


e ¿ieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespráche mit kompetenten Partnern in Berlin zu 
führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 
nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 


auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 
Von: E Dürig, Markus, Dr. 
Gesendet: Montag, 26. August 2013 12:01 
An: Treib, Heinz Jürgen; RegIT3 
Cc: Strahl, Claudia; Mantz, Rainer, Dr. 
Betreff. | l WG: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Bitte übernehmen Sie die Koordination der Vorbereitung. 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


-----Urspriingliche Nachricht----- 
Qv Franßen-Sanchez de la Cerda, Boris 
Gesendet: Montag, 26. August 2013 10:49 
An: Vogel, Michael, Dr. i ; 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 

e - Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 

- capacity builiding, | 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


- Ursprüngliche Nachricht — 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 
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Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 

----- Ursprüngliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris <Boris.FranssenSanchezdelaCerda bmi.bund.de> 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. <Markus.Dueri bmi.bund.de>; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee, 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdlC 


| -----Urspriingliche Nachricht-——- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. l 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
führen. M. E. böte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 
nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 
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Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wor 7 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen, 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 
—————————————— UU ——ii""— fa .UÜMPPPÜPEEE RR 
Von: Dürig, Markus, Dr. 
Gesendet: .. Freitag, 30. August 2013 08:57 
An: l Treib, Heinz Jürgen; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 


Betreff: WG: Besuch Michael Daniel in Deutschland 


Bitte um Vorbereitung bis 6.11. 
Wv 1.11. (Stand?) 


Dr. Markus Dürig 
Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: +49 30 18 681 5 1374 
e email:markus.duerig@bmi.bund.de 
----- Ursprüngliche Nachricht---— 
Von: Vogel, Michael, Dr. 
Gesendet: Freitag, 30. August 2013 00:41 
An: Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 
Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
beim heutigen Gespräch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klären wird: 


e -12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise a 


Entsprechend böte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 
an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 

Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Móglichkeiten in den 


jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 
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-----Urspriingliche Nachricht-—-- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; ; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, | 


nach gegenwártiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
. Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


----- Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 

An: Franßen-Sanchez de la Cerda, Boris 

Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 


Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüße - 
Michael Vogel 


@®-- ursprüngliche Nachricht----- 
Von: Franßen-Sanchez de la Cerda, Boris 
Gesendet: Montag, 26. August 2013 10:49 
An: Vogel, Michael, Dr. 
Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, ‚Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 
- Entwicklung des Themas Cyber in D in der 18. LP, 
- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 
- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 


2 





MAT A BMI-1-11e_12.pdf, Blatt 462 


- capacity builiding, 460 


- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 
Besten Dank. 


©.. habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 


----- Ursprüngliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris «Boris.FranssenSanchezdelaCerda(g bmi. lind. de» 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

o Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. «Markus. Duerig@bmi.bund.de>; 
NP Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund. de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 





> 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, - 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 


das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdlC 


--—Urspriingliche Nachricht----- 
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Von: Vogel, Michael, Dr. 461 
Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Ce: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Björn; Dimroth, Johannes, Dr. 

Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
führen. M. E. böte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 


nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
. auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen. 
@ BT ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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462 
Strahl, Claudia 
nn 
Von: Treib, Heinz Jürgen 
Gesendet: . Freitag, 30. August 2013 09:14 
An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: | AW: Besuch Michael Daniel in Deutschland 


Vielleicht kónnten wir das auch noch als Punkt 


" Work on an international cooperation framework for collective actions with respect to the defense of cyber- 
attacks" 220 


Ich würde vorschlagen, dass wir das schon mal zur Stellungnahme beim BSI abfragen. Was meinen Sie? 


-----Ursprüngliche Nachricht----- 
Von: Dürig, Markus, Dr. 
eo sesendet: Freitag, 30. August 2013 08:57 
An: Treib, Heinz Jürgen; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: WG: Besuch Michael Daniel in Deutschland 


Bitte um Vorbereitung bis 6.11.° 
Wv 1.11. (Stand?) 


Dr. Markus Dürig y 
Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin | 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


.-----Urspriingliche Nachricht--—- 
Von: Vogel, Michael, Dr. 
Gesendet: Freitag, 30. August 2013 00:41 
An: Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 
Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
beim heutigen Gespräch mit Herrn Scott habe ich thre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht voliständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klären wird: 


-12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 
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-14.11.2013  Gespráche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


463 


Entsprechend bóte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 


‘an. Wo lägen Ihre Präferenzen? 
Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions” sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Möglichkeiten in den 
jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 
Michael Vogel 


—--Ursprüngliche Nachricht-—- 
Von: Franßen-Sanchez de la Cerda, Boris 
Gesendet: Donnerstag, 29. August 2013 10:37 
Q- Vogel, Michael, Dr. 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


nach gegenwärtiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda : 


—-Ursprüngliche Nachricht----- 
Von: Vogel, Michael, Dr. 
„ Gesendet: Mittwoch, 28. August 2013 21:47 
! An: Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 

ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 
Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 

Beste Grüße 

Michael Vogel 

—--Ursprüngliche Nachricht—--- 

Von: Franßen-Sanchez de la Cerda, Boris 


Gesendet: Montag, 26. August 2013 10:49 
An: Vogel, Michael, Dr. 
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Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch^ 64 
Björn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruf$ 
. Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht--—- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 


Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
e Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 


--—- Ursprüngliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris <Boris.FranssenSanchezdelaCerda@bmi.bund.de> 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. «Markus.Duerig(9 bmi.bund.de»; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee, 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Danie! in Deutschland 
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Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdlC 


-—--Ursprüngliche Nachricht-—— : 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franfsen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 
nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespráche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 


Von: Treib, Heinz Jürgen 

Gesendet: Freitag, 30. August 2013 09:50 

An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Sorry, ich meinte natürlich, ' 
den Punkt in den SCG Aktionsplan, den wir gerade verhandeln, aufzunehmen. 


-----Urspriingliche Nachricht---— 

Von: Treib, Heinz Jürgen 

Gesendet: Freitag, 30. August 2013 09:14 

An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Qo kónnten wir das auch noch als Punkt 


" Work on an international cooperation framework for collective actions with respect to the defense of cyber- 
attacks" 


Ich würde vorschlagen, dass wir das schon mal zur Stellungnahme beim BSI abfragen. Was meinen Sie? 


—--Ursprüngliche Nachricht----- 

Von: Dürig, Markus, Dr. 

Gesendet: Freitag, 30. August 2013 08:57 

An: Treib, Heinz Jürgen; Dimroth, Johannes, Dr.; ReglT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 

Betreff: WG: Besuch Michael Daniel in Deutschland 


Bitte um Vorbereitung bis 6.11. 


©.. 1.11. (Stand?) 


Dr. Markus Dürig l l 
Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
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beim heutigen Gespräch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


‘Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klären wird: 


- 12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend böte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 
an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 

® Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Möglichkeiten in den 
jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 
Michael Vogel 


-----Ursprungliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


o... gegenwärtiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


—-Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch 
Björn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


U 


Lieber Herr Franßen-de la Cerda, 
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ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 4 
Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüße 
Michael Vogel 


-----Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Montag, 26. August 2013 10:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 


o mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


-—-- Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 


Bjórn 
Betreff: AW: Bitte um AL Besuch Michael Daniel i in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 


Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 
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Gesendet von meinem HTC 


----- Ursprüngliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris <Boris.FranssenSanchezdelaCerda@bmi.bund.de> 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael. Vogel@bmi.bund.de> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de>; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


’ 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
eo hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdlC 


-----Urspriingliche Nachricht-——- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


® .. Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. l 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
. führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 


nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. d 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespráche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 
— 5n! ecr Él oEgÉt9bi1É. :Uí/ICDOGüARoó £^ 12 E 
Von: | Dürig, Markus, Dr. 
Gesendet: Freitag, 30. August 2013 17:53 
An: Treib, Heinz Jürgen; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia; Dimroth, Johannes, Dr. 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Hm, die SCG ist doch nur zwischen DHS und uns? Passt das denn? 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin i 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


-----Urspriingliche Nachricht----- 
@...:: Treib, Heinz Jürgen 
Gesendet: Freitag, 30. August 2013 09:50 
An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; ReglT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Sorry, ich meinte natürlich, 
den Punkt in den SCG Aktionsplan, den wir gerade verhandeln, aufzunehmen. 


-----Urspriingliche Nachricht----- 

Von: Treib, Heinz Jürgen 

Gesendet: Freitag, 30. August 2013 09:14 

An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; ReglT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 

Betreff: AW: Besuch Michael Daniel in Deutschland 


& Vielleicht kónnten wir das auch noch als Punkt 
" Work on an international cooperation framework for collective actions with respect to the defense of cyber- 
attacks" 
Ich würde vorschlagen, dass wir das schon mal zur Stellungnahme beim BSI abfragen. Was meinen Sie? 
-----Urspriingliche Nachricht----- 
Von: Dürig, Markus, Dr. 
Gesendet: Freitag, 30. August 2013 08:57 
An: Treib, Heinz Jürgen; Dimroth, Johannes, Dr.; RegiT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: WG: Besuch Michael Daniel in Deutschland 
Bitte um Vorbereitung bis 6.11. 
Wv 1.11. (Stand?) 


Dr. Markus Dürig 
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Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 

Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
beim heutigen Gesprách mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klàren wird: 


-12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend bóte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 
an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhángig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
e... der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Móglichkeiten in den 


jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 
Beste Grüße 
Michael Vogel 


-----Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


nach gegenwártiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 
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Viele Grüße 4 
Boris Franßen-de la Cerda 


-—-Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 
Tagung teilnehmen? Das gábe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüße 


® Michael Vogel 


—--Ursprüngliche Nachricht----- 

Von: Franfsen-Sanchez de la Cerda, Boris 

Gesendet: Montag, 26. August 2013 10:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Thenenverschfas des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


----- Ursprüngliche Nachricht—--- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 
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Lieber Herr Franßen-Sanchez de la Cerda, 
Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 


--— Ursprüngliche Nachricht ----- 
Von: Franßen-Sanchez de la Cerda, Boris <Boris.FranssenSanchezdelaCerda@bmi.bund.de> 
Gesendet: Donnerstag, 22. August 2013 03:57 
©.. Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 
Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. «Markus. Duerig@bmi. bund.de»; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas «Thomas. Binder bmi.bund.de»; Klee, 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 


e BFdlC 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespráche mit kompetenten Partnern in Berlin zu 
führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 
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nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 14 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia . | 
———— ——————————————————— DD D IELMDEALLILLLLIN!HL I EEOi.LLLLULI)LEI;..!) 444. ! $i i ( 1 1$ Á(ÀÁ À17ÁgtP EE 


Von: Treib, Heinz Jürgen 

Gesendet: ^A Samstag, 31. August 2013 13:53 

An: Dürig, Markus, Dr.; Treib, Heinz Jürgen; RegIT3 

Cc: Mantz, Rainer, Dr.; Strahl, Claudia; Dimroth, Johannes, Dr. 
Betreff: AW: Besuch Michael Daniel in Deutschland 


DHS und BMI kónnten sich überlegen, welche Randbedingungen, Komunikationskanäle, Standards für | 
Informationsaustausch, Data Freezing pp. gebraucht werden und Probleme aus Erfahrungen zusammentragen. Im 
Ergebnis müssten dann gemeinsam Verbesserungsvorschläge in die geeignete multilaterale Gremien getragen 
werden. i 


Gesendet von meinem Windows Mobile®-Telefon. 


----- Ursprüngliche Nachricht ----- 
Von: Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de> 
Gesendet: Freitag, 30. August 2013 17:52 
©... Treib, Heinz Jürgen <HeinzJuergen.Treib@bmi.bund.de>; RegiT3 <ReglT3@bmi.bund.de> 
Cc: Mantz, Rainer, Dr. <Rainer.Mantz@bmi.bund.de>; Strahl, Claudia <Claudia.Strahl@bmi.bund.de>; Dimroth, 
Johannes, Dr. <Johannes.Dimroth@bmi.bund.de> 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Hm, die SCG ist doch nur zwischen DHS und uns? Passt das denn? 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 


- Ursprüngliche Nachricht----- 
Von: Treib, Heinz Jürgen 
Gesendet: Freitag, 30. August 2013 09:50 
P An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Sorry, ich meinte natürlich, 
den Punkt in den SCG Aktionsplan, den wir gerade verhandeln, aufzunehmen. 


-----Urspriingliche Nachricht—--- 

Von: Treib, Heinz Jurgen 

Gesendet: Freitag, 30. August 2013 09:14 

An: Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; RegIT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Vielleicht könnten wir das auch noch als Punkt 


" Work on an international cooperation framework for collective actions with respect to the defense of cyber- 
attacks" 
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Ich würde vorschlagen, dass wir das schon mal zur Stellungnahme beim BSI abfragen. Was meinen Sie? 


— Ursprüngliche Nachricht----- 

Von: Dürig, Markus, Dr. 

Gesendet: Freitag, 30. August 2013 08:57 

An: Treib, Heinz Jürgen; Dimroth, Johannes, Dr.; ReglT3 
Cc: Mantz, Rainer, Dr.; Strahl, Claudia 

Betreff: WG: Besuch Michael Daniel in Deutschland 


Bitte um Vorbereitung bis 6.11. 
Wv 1.11. (Stand?) 


Dr. Markus Dürig 
- Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: +49 30 18 681 5 1374 
Qe 


-—-- Ursprüngliche Nachricht-—-- 

Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 


Bjórn; Treib, Heinz Jürgen 
Betreff: Besuch Michael Daniel in Deutschland 
Lieber Herr Franßen-de la Cerda, 


beim heutigen Gesprách mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollstándig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich abet binnen der kommenden 2 Wochen klären wird: 


o 12.11.2013 Anreise Wiesbaden/BKA 


- 13.11.2013 | Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


-14.11.2013  Gespráche in Berlin (US-Botschaft, Stn RG und AA syber Koordinator) 
Weiterreise 


Entsprechend böte sich nach derzeitigem Stand entweder ein Abendeccan am 13.11.13 oder ein Treffen tags darauf 
an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 

- Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Móglichkeiten in den 


Jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 
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-----Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jurgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


nach gegenwártiger Planung wird Frau Stn is nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht-—-- 
o^. Vogel, Michael, Dr. 
Gesendet: Mittwoch, 28. August 2013 21:47 
An: Franßen-Sanchez de la Cerda, Boris l ; 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 
Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüße 
Michael Vogel 


e — Ursprüngliche Nachricht-—-- 
Von: Franßen-Sanchez de la Cerda, Boris 
Gesendet: Montag, 26. August 2013 10:49 
An: Vogel, Michael, Dr. 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel i in Deutschland 


- Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, . 
- Entwicklung des Themas Cyber in D in der 18. LP, 
- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 
- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
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- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


-—-Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. Es 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 
Besten Dank. 


©.. habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 


----- Ursprüngliche Nachricht -—-- 
Von: Franßen-Sanchez de la Cerda, Boris «Boris.FranssenSanchezdelaCerda 8 bmi.bund.de» 
Gesendet: Donnerstag, 22. August 2013 03:57 
An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

e Cc: Schallbruch, Martin «Martin.Schallbruch 8 bmi.bund.de»; Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de>; 

W Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>:; Klee 

Kristina, Dr. «Kristina.Klee&bmi.bund.de»; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


i 


Lieber Herr Vogel, . 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn.es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 


das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdIlC 


----- Ursprüngliche Nachricht-——- 
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Von: Vogel, Michael, Dr. 419 
Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Björn; Dimroth, Johannes, Dr. 

Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
führen. M. E. böte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 


nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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————saá———'ÓuüÓÁ— —» A MMXX—GiMA' OIN [€ ili MR ERaHAERGENRAGAR RA 
Von: Treib, Heinz Jürgen 
Gesendet: Mittwoch, 11. September 2013 08:43 
An: Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Cc: IT3 ; RegIT3 
Betreff: WG: Besuch Michael Daniel in Deutschland 


Liebe Referatsleiter, 


inhaltlich verstehe ich den Wunsch von Michael Daniel "Schaffung eines Rahmenwerks, aus dem klar hervorgeht, 
wie man im Rahmen der internationale Kooperation gemeinsam vorgehen kann -welche rechtliche Móglichkeiten in 
den jeweiligen Staaten bestehen, um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc" so, dass praktisch eine 
Übersicht/Verzeichnis/Directory mit Staaten, deren zustándigen Stellen , rechtliche, technische, prozedurale 
Anforderungen pp. zur Begegnung von Cyberattacken erstellt werden soll. 


Man kónnte m.E. so etwas mal als Projekt für die G8 Staaten z.B. als gemeinsames DEU/US Projekt andenken und in 
o zweiten Schritt ggf. auf 24/7 Netzwerk mit 60 Staaten erstrecken. 


Zunächst könnte ich das ja mal nächste Woche mit Jordana Siegel besprechen. Die Entwicklung eines 
entsprechenden Projekts kónnten wir als Aktion auf die SCG Fahne noch mit aufnehmen. 


Was denken Sie? Macht das Sinn? 
MfG 


-—--Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Dienstag, 10. September 2013 21:50 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, Thomas; Klee, 
Kristina, Dr.; Banisch, Björn 

Betreff: WG: Besuch Michael Daniel in Deutschland 


o Herr Vogel, 


Frau Stn RG würde Herrn Daniel gerne am 13.11.2013 zu einem Abendessen empfangen. Dies wäre die 
vorzugswürdige Option, weil Frau Stn RG am 14.11.2013 VM in Köln terminlich gebunden ist. Zur Not kónnte sie sich 
dort auch vertreten lassen; das wäre aber die schlechtere Alternative. 


Besten Gruß 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 

An: Franßen-Sanchez de la Cerda, Boris | 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen i 
Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
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beim heutigen Gespräch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klàren wird: 


-12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


-14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend bóte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 
an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhángig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 

actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Möglichkeiten in den 
jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc. ) 


Beste Grüße 
Michael Vogel 


----- Ursprüngliche Nachricht----- 
Von: Franßen-Sanchez de la Cerda, Boris 
Gesendet: Donnerstag, 29. August 2013 10:37 
An: Vogel, Michael, Dr. 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen: 
. Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


©... gegenwärtiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
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ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der Bk 8 2 
Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüfse 
Michael Vogel 


-—--Ursprüngliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Montag, 26. August 2013 10:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gesprách von Stn 
e RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruf$ 
Boris Franßen-de la Cerda 


—--Ursprüngliche Nachricht----- 

‚Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 


Bjorn 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 


Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 
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Gesendet von meinem HTC 


----- Ursprtingliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris <Boris.FranssenSanchezdelaCerda@bmi.bund.de> 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de>; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee, 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
o" hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdiC 


----- Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. | 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Björn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


, Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespráche mit kompetenten Partnern in Berlin zu 
führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 


nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespráche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 
ng 
Von: Dürig, Markus, Dr. 
Gesendet: Mittwoch, 11. September 2013 09:15 
An: Treib, Heinz Jürgen; Mantz, Rainer, Dr. 
Cc: IT3 ; RegIT3 


Betreff: AW: Besuch Michael Daniel in Deutschland 


Ich verstehe das anders: Schaffung eines VN(?)-Rahmenwerkes, das regelt, wie und wer nach internationalem 
Recht/Völkerrecht auf DDoS-Attacken vorgehen darf: Zurechnung des Nichthandelns von Regierungen gg Attacken, 
Handelserlaubnis für den angegriffenen Staat/Reg., auf dem Territorium des Staates, aus dem heraus der Angriff 
erfolgt, handeln zu dürfen (wie im Int. Umweltrecht), etc. - all die Fragen, die wir schon vor der GGE auf die TO 
gesetzt hatten. 

Ich würde das so vorbereiten für das Gespräch mit Daniels. Ihr Vorschlag erscheint mir sehr umfangreich - das 
sollten wir nur reaktiv vorschlagen. 

Gruß MD 


Dr. Markus Dürig 

@ citer des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 
—--Ursprüngliche Nachricht----- 
Von: Treib, Heinz Jürgen 
Gesendet: Mittwoch, 11. September 2013 08:43 
An: Dürig, Markus, Dr.; Mantz, Rainer, Dr. 
Cc: IT3_; ReglT3 
Betreff: WG: Besuch Michael Daniel in Deutschland 


Liebe Referatsleiter, 


inhaltlich verstehe ich den Wunsch von Michael Daniel "Schaffung eines Rahmenwerks, aus dem klar hervorgeht, 
wie man im Rahmen der internationale Kooperation gemeinsam vorgehen kann -welche rechtliche Möglichkeiten in 
den jeweiligen Staaten bestehen, um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc" so, dass praktisch eine 

ee mit Staaten, deren zuständigen Stellen , rechtliche, technische, prozedurale 
Anforderungen pp. zur Begegnung von Cyberattacken erstellt werden soll. 


Man könnte m.E. so etwas mal als Projekt für die G8 Staaten z.B. als gemeinsames DEU/US Projekt andenken und in 
einem zweiten Schritt ggf. auf 24/7 Netzwerk mit 60 Staaten erstrecken. 


Zunächst könnte ich das ja mal nächste Woche mit Jordana Siegel besprechen. Die Entwicklung eines 
entsprechenden Projekts könnten wir als Aktion auf die SCG Fahne noch mit aufnehmen. 


Was denken Sie? Macht das Sinn? 
MfG 


=---- Ursprüngliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Dienstag, 10. September 2013 21:50 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, Thomas; Klee, 
Kristina, Dr.; Banisch, Bjórn 
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Lieber Herr Vogel, 


Frau Stn RG würde Herrn Daniel gerne am 13.11.2013 zu einem Abendessen empfangen. Dies wäre die 
vorzugswürdige Option, weil Frau Stn RG am 14.11.2013 VM in Köln terminlich gebunden ist. Zur Not könnte sie sich 
dort auch vertreten lassen; das wäre aber die schlechtere Alternative. 


Besten Gruß 
Boris Franßen-de la Cerda 


-—---Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: Besuch Michael Daniel in Deutschland 


e Lieber Herr Franßen-de la Cerda, 
beim heutigen Gespräch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt aussehen, was 
sich aber binnen der kommenden 2 Wochen klären wird: 


- 12.11.2013 Anreise Wiesbaden/BKA 


-13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


-14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend böte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags darauf 
e an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for collective 
actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, wie man im 
Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche Möglichkeiten in den 
jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 
Michael Vogel 


----- Ursprüngliche Nachricht--— 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Björn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 
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Lieber Herr Vogel, 


nach gegenwártiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste also für 
Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


u Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 

An: Franßen-Sanchez de la Cerda, Boris 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


©. werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der BKA- 
Tagung teilnehmen? Das gäbe uns die pption, ein Treffen vor Ort zu organisieren, wenn dies in ihren Terminplan 
passt. 


Beste Grüße 
Michael Vogel 


-----Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Montag, 26. August 2013 10:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjorn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


® Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch von Stn 
RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis- schie gegen Cyber-Angriffe in USA und D, 

- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


-— Ursprüngliche Nachricht--—- 





MAT A BMI-1-11e_12.pdf, Blatt 489 


Von: Vogel, Michael, Dr. 487 
Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; Banisch, 
Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 
Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl kommende 
Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse . 


Michael Vogel 


Gesendet von meinem HTC 


----- Ursprüngliche Nachricht ----- 

Von: Franßen-Sanchez de la Cerda, Boris «Boris.FranssenSanchezdelaCerda 9 bmi.bund.de» 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de>; Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de>; 
Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Binder, Thomas <Thomas.Binder@bmi.bund.de>; Klee, 
Kristina, Dr. <Kristina.Klee@bmi.bund.de>; Banisch, Björn <Bjoern.Banisch@bmi.bund.de> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel zu 
vereinbaren. 


©.. wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren könnten, 
sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um gegenüber Herrn Scott 
das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdlC 


----- Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Fran en-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 
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der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA-Herbsttagung in 
Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin zu 
führen. M. E. böte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu vereinbaren und 
nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA weiß schon über die Reise 
Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der ihn wohl 
auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf Hinweise angewiesen. 
Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch teilnehmen? 


Michael Vogel 
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Strahl, Claudia 
EEE 
Von: Dürig, Markus, Dr. 
Gesendet: Donnerstag, 10. Oktober 2013 14:59 
An: Treib, Heinz Jürgen; RegIT3 
Cc: Dimroth, Johannes, Dr.; Mantz, Rainer, Dr.; Pilgermann, Michael, Dr. 
Betreff: WG: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um 


Terminvorbereitung bis 6. November, DS 


Lieber Herr Treib, 

bitte um Vorbereitung — ganze Palettte (nationale CyberPolitik, kritis-Schutz, Stand NIST-Standards, IT-SiG, Rd Tisch, 
internationales, internet gevornance, ...) 

BG MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innern 
Alt-Moabit 101 D 


07 Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: *49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 
Von: Batt, Peter l 
Gesendet: Donnerstag, 10. Oktober 2013 12:48 
An: IT3_ 
Cc: Schallbruch, Martin; ITD_; Dürig, Markus, Dr. 
Betreff: WG: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. November, DS 





IT3 mdB um Vorbereitung 


El gez P. Batt 
———————————— MM—M 


Von: StRogall-Grothe_ 

Gesendet: Mittwoch, 9. Oktober 2013 18:23 

An: ITD 

Cc: SVITD ; Loose, Katrin; Lühmann, Hendrik 

Betreff: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. 
November, DS l 





Sehr geehrter Herr Schallbruch, 

das Abendessen mit Herrn Michael Daniel und Herrn Andrew Scott wird am 13. November 2013 im Capital 
Club (Mohrenstraße 30) ab 19:00 Uhr stattfinden. Das Protokoll hat sich bereits um die Reservierung des 
Raumes und des Menüs gekümmert, auch ein Dolmetscher wurde bereits organisiert. 


Voraussichtlich wird Herr Chris Painter vom State Department (Cyber-AL) ebenfalls am Essen teilnehmen, 
hier müssen wir aber noch die endgültige Bestätigung von Herrn Dr. Vogel abwarten. 


Frau Rogall-Grothe bittet für das Treffen mit Herrn Daniel um Terminvorbereitung bis spätestens 6. 
November 2013, DS. l 


Vielen Dank. 
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1. A. Kathrin Krahn 


Büro der Staatssekretärin und 

Beauftragten der Bundesregierung 
. für Informationstechnik 

Cornelia Rogall-Grothe 

Bundesministerium des Innern 

Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 - 18681-1107 

Fax: 030 - 18681- 1135 


email: strg@bmi.bund.de 
kathrin.krahn(g)bmi.bund.de 


Von: Vogel, Michael, Dr. 
Qe Montag, 7. Oktober 2013 18:48 
An: Lühmann, Hendrik 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Bjórn 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Hallo Hendrik, 


die US-Seite hat gerade den Termin bestätigt. 


Ich habe Hr. Daniel angeboten, dass ich ihn von Wiesbaden nach Berlin begleite. Kollege Simon, VB-BKA, 
begleitet ihn nach Wiesbaden. 


Wer wäre der Ansprechpartner auf Seiten unseres Protokolls? Dann würde ich seine Erreichbarkeiten an die 
„Gegenstelle“ in der US-Botschaft weitergeben. . 


e Beste Grüße 


Michael 


Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Freitag, 4. Oktober 2013 17:02 

An: Vogel, Michael, Dr. 

Ce: Lühmann, Hendrik | 

Betreff: WG: Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


sorry: hier noch die Mail-Adresse von Herrn Lühmann. 


BG 
BFdlC 
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Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Freitag, 4. Oktober 2013 16:53 

An: Vogel, Michael, Dr. 

Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Björn 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 
zum letzten Stand in dieser Angelegenheit: 
Das Abendessen wird im 


Berlin Capital Club (am Gendarmenmarkt) 
Mohrenstraße 30 
& 10117 Berlin 


stattfinden und soll um 19:00 Uhr beginnen. Dolmetscher wird organisiert; Protokoll übernimmt Betreuung 
der Gäste. 


Ich wäre Ihnen für Weitergabe dieser organisatorischen Details an das Büro von Herrn Daniel dankbar. Ist 
der hier beabsichtigte Beginn des Abendessens mit den Reisedaten von Herrn Daniel kompatibel? 


Derzeit ist eine Begleitung durch Herrn IT-D vorgesehen. Bleibt es dabei, dass Herr Daniel (nur) durch 
Herrn Scott begleitet wird? 


Da ich nächste Woche im Urlaub sein werde, wäre ich Ihnen für eine Rückmeldung an Herrn Lühmann, der 
mich vertreten wird, dankbar. 


Besten Gruß aus Berlin 
Boris Franßen-de la Cerda 


Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 11. September 2013 22:54 

An: Franßen-Sanchez de la Cerda, Boris 

Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Bjöm 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 

 Soeben habe ich den Reiseplan von Herrn Daniels erhalten und füge ihn anbei. Soviel vorab: Er nimmt die 
Einladung zum Abendessen gerne an und bedankt sich. Die Gesprächsthemen hatte ich bereits übermittelt. 
Wenn das Restaurant und die Uhrzeit genau feststehen, können Sie es mich i ja wissen lassen, dann gebe ich 


das weiter. 


November 11 
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November 12 
Arrive Frankfurt (in the morning) 
Dinner with BKA President Ziercke 


November 13 

Keynote speech at 10:00am 

Travel to Berlin 

Meetings with German Government officials 
Dinner with Cornelia Rogall-Grothe 


November 14 
Depart Berlin (in the morning) 


Beste Grüße 


Michael Vogel 


-----Urspriingliche Nachricht----- 

Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Dienstag, 10. September 2013 21:50 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Bjórn 

Betreff: WG: Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn RG würde Herrn Daniel gerne am 13.11.2013 zu einem Abendessen empfangen. Dies wáre die 
vorzugswürdige Option, weil Frau Stn RG am 14.11.2013 VM in Köln terminlich gebunden ist. Zur Not 
könnte sie sich dort auch vertreten lassen; das wäre aber die schlechtere Alternative. 


Besten GruB 
o Franßen-de la Cerda 


Von: Vogel, Michael, Dr. 

Gesendet: Freitag, 30. August 2013 00:41 l 

An: Franßen-Sanchez de la Cerda, Boris n I 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen 

Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
beim heutigen Gespräch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt 
aussehen, was sich aber binnen der kommenden 2 Wochen klären wird: 


- 12.11.2013 Anreise Wiesbaden/BK A 
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- 13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespräche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend böte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags 
darauf an. Wo lägen Ihre Präferenzen? 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 


Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for 
collective actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, 
wie man im Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche 
Möglichkeiten in den jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 


Beste Grüße 


Qc Vogel 


Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


nach gegenwärtiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste 
also für Berlin "beplant" werden. 


Viele Grüße 
o Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 28. August 2013 21:47 ; 

An: FranBen-Sanchez de la Cerda, Boris l Í | 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der 
BK A-Tagung teilnehmen? Das gäbe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren 


Terminplan passt. 


Beste Grüße 





MAT A BMI-1-11e_12.pdf, Blatt 496 


Michael Vogel 494 


Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Montag, 26. August 2013 10:49 

An: Vogel, Michael, Dr. | 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch 
von Stn RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 
- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 

: Seoul-Conference (17./18.10.), 

- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 

- capacity builiding, 

- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Besten Gruß 
Boris Franßen-de la Cerda 


Von: Vogel, Michael, Dr. 
Gesendet: Donnerstag, 22. August 2013 18:49 
An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 
Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Björn 
o ii AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 





Lieber Herr Franßen-Sanchez de la Cerda, 


Besten Dank. 


Ich habe mich mit dem BKA VB abgestimmt und werde Hr. Scott auch treffen. Das Treffen wird wohl 
kommende Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 
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Von: Franßen-Sanchez de la Cerda, Boris 495 
<Boris.FranssenSanchezdelaCerda@bmi.bund.de<mailto:Boris.FranssenSanchezdelaCerda 
E F 

Gesendet: Donnerstag, 22. August 2013 03:57 

An: Vogel, Michael, Dr. «Michael. Vogel@bmi.bund.de<mailto:Michael. Vogel@bmi.bund.de>> 






Thomas <Thomas.Binder@bmi.bund.de<mailto:Thomas.Binder@bmi.bund.de>>; Klee, Kristina, Dr. 
<Kristina.Klee@bmi.bund.de<mailto:Kristina.Klee@bmi.bund.de>>; Banisch, Björn 
<Bjoern.Banisch@bmi.bund.de<mailto:Bjoern.Banisch@bmi.bund.de>> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel 
zu vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren 
könnten, sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um 
gegenüber Herrn Scott das hiesige Interesse zu unterstreichen. 


Besten Gruß aus Berlin, 
BFdIC 


Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 | 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. : 

Ce: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Björn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA- 
Herbsttagung in Wiesbaden eine Rede halten. 


Da er in Deutschland weilt, bietet es sich für ihn an, weitere Gespräche mit kompetenten Partnern in Berlin 
zu führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu | 
vereinbaren und nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA 
weiß schon über die Reise Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der 
ihn wohl auch nach D begleiten wird. Für die Vermittlung weiterer Gesprüche ist er recht kurzfristig auf 


Hinweise angewiesen. Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgespräch 
teilnehmen? 


Michael Vogel 
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Strahl, Claudia 


Von: Dürig, Markus, Dr. 

Gesendet: Freitag, 11. Oktober 2013 09:33 

An: Dimroth, Johannes, Dr.; RegIT3 

Cc: Treib, Heinz Jürgen; Mantz, Rainer, Dr.; Pilgermann, Michael, Dr. 
Betreff: WG: Besuch Michael Daniel in Deutschland am 13. Nov. Bitte um 


Terminvorbereitung bis 6. November, DS 


Lieber Herr Dimroth, 

dann übernehmen Sie bitte die koordination der Vorbereitung incl. Des Beitrags GGE und bilaterale Gespräche (Sie 
waren ja auch mit in Wash). 

Grußo MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innern 
Alt-Moabit 101 D 


eo Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: +49 30 18 681 5 1374 


email:markus.duerig@bmi.bund.de 


Von: Treib, Heinz Jiirgen 

Gesendet: Donnerstag, 10. Oktober 2013 22:28 

An: Dürig, Markus, Dr.; RegIT3 

Cc: Dimroth, Johannes, Dr.; Mantz, Rainer, Dr.; Pilgermann, Michael, Dr. 

Betreff: AW: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. November, DS 





LK, 

hier muss ich remonstrieren: 

das ist von miIT1) sozusagen en passant nicht zu schaffen: bin nächste Woche auf DR , bin übernáchste im Rahmen 
der Vorbereitung von G8 RLG gebunden (beschäftigt mich bereits jetzt im Urlaub), die darauf folgende Woche bin ich 
in London bei RLG und zwischendurch offenbar -wenn nicht anders beauftragt - ist von mir auch noch eine Rede für 
ITD zu schreiben (Fraunhofer am 5.11, wofür ich bisher nur Abstract geliefert habe). 


Gesendet von meinem Windows Mobile®-Telefon. 


& ----- Ursprüngliche Nachricht ----- 


Von: Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de> 

Gesendet: Donnerstag, 10. Oktober 2013 14:59 

An: Treib, Heinz Jürgen <HeinzJuergen.Treib@bmi.bund.de>; RegIT3 <RegIT3@bmi.bund.de> 

Cc: Dimroth, Johannes, Dr. <Johannes.Dimroth@bmi.bund.de>; Mantz, Rainer, Dr. «Rainer.Mantz Qbmi.bund.de» ; 


Pilgermann, Michael, Dr. <Michael.Pilgermann@bmi.bund.de> 
Betreff: WG: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. November, DS 


Lieber Herr Treib, 


bitte um Vorbereitung — ganze Palettte (nationale CyberPolitik, kritis-Schutz, Stand NIST-Standards, IT-SiG, Rd Tisch, 
internationales, internet gevornance, ...) 
BG MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innern 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: *49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 
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Von: Batt, Peter 
Gesendet: Donnerstag, 10. Oktober 2013 12:48 
An: IT3_ 
Cc: Schallbruch, Martin; ITD ; Dürig, Markus, Dr. 
Betreff: WG: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. November, DS 


IT3 mdB um Vorbereitung 


El gez P. Batt 
EEE 


Von: StRogall-Grothe _ 

Gesendet: Mittwoch, 9. Oktober 2013 18:23 

An: ITD_ | 

Cc: SVITD_; Loose, Katrin; Lühmann, Hendrik 

Betreff: Besuch Michael Daniel in Deutschland am 13. Nov.; Bitte um Terminvorbereitung bis 6. 
November, DS 


Sehr geehrter Herr Schallbruch, 


das Abendessen mit Herrn Michael Daniel und Herrn Andrew Scott wird am 13. November 2013 im Capital 
Club (Mohrenstraße 30) ab 19:00 Uhr stattfinden. Das Protokoll hat sich bereits um die Reservierung des 
Raumes und des Menüs gekümmert, auch ein Dolmetscher wurde bereits organisiert, | 


Voraussichtlich wird Herr Chris Painter vom State Department (Cyber-AL) ebenfalls am Essen teilnehmen, 
hier müssen wir aber noch die endgültige Bestätigung von Herrn Dr. Vo gel abwarten. | 


Frau Rogall-Grothe bittet für das Treffen mit Herrn Daniel um Terminvorbereitung bis spätestens 6. 
November 2013, DS. 


Vielen Dank. 


Mit freundlichen Grüßen 
i. A. Kathrin Krahn 


eo” der Staatssekretärin und 
Beauftragten der Bundesregierung 
für Informationstechnik — 
Cornelia Rogall-Grothe 
Bundesministerium des Innern 
Alt-Moabit 101 D 
10559 Berlin 
Tel.: 030 - 18681-1107 
Fax: 030 - 18681- 1135 


email: strg@bmi.bund.de 
kathrin.krahn@bmi.bund.de 


Von: Vogel, Michael, Dr. 

Gesendet: Montag, 7. Oktober 2013 18:48 

An: Lühmann, Hendrik | 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
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Thomas; Klee, Kristina, Dr.; Banisch, Bjórn 498 
Betreff: AW: Besuch Michael Daniel in Deutschland 


Hallo Hendrik, 
die US-Seite hat gerade den Termin bestätigt. 


Ich habe Hr. Daniel angeboten, dass ich ihn von Wiesbaden nach Berlin begleite. Kollege Simon, VB-BKA, 
begleitet ihn nach Wiesbaden. 


Wer wáre der Ansprechpartner auf Seiten unseres Protokolls? Dann würde ich seine Erreichbarkeiten an die 
„Gegenstelle“ in der US-Botschaft weitergeben. | 


Beste GrüDe 


Michael 


Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Freitag, 4. Oktober 2013 17:02 

An: Vogel, Michael, Dr. 

Cc: Lühmann, Hendrik 

Betreff: WG: Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 
sorry: hier noch die Mail-Adresse von Herrn Lühmann. 


BG 
BFdlC 


Von: Franßen-Sanchez de la Cerda, Boris 

Gesendet: Freitag, 4. Oktober 2013 16:53 

An: Vogel, Michael, Dr. 

Ce: Schallbruch, Martin; Diirig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Björn 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 

zum letzten Stand in dieser Angelegenheit: 
Das Abendessen wird im 

Berlin Capital Club (am Gendarmenmarkt) 
MohrenstraBe 30 

10117 Berlin 


stattfinden und soll um 19:00 Uhr beginnen. Dolmetscher wird organisiert; Protokoll übernimmt Betreuung 
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der Gäste. ias | 
Ich wäre Ihnen für Weitergabe dieser organisatorischen Details an das Büro von Herrn Daniel dankbar. Ist 
der hier beabsichtigte Beginn des Abendessens mit den Reisedaten von Herrn Daniel kompatibel? 


Derzeit 1st eine Begleitung durch Herrn IT-D vorgesehen. Bleibt es dabei, dass Herr Daniel (nur) durch 
Herrn Scott begleitet wird? | 


Da ich nächste Woche im Urlaub sein werde, wäre ich Ihnen für eine Rückmeldung an Herrn Lühmann, der 
mich vertreten wird, dankbar. | 


Besten Gruß aus Berlin 
Boris Franßen-de la Cerda 


Von: Vogel, Michael, Dr. = 4 

Gesendet: Mittwoch, 11. September 2013 22:54 

An: Franßen-Sanchez de la Cerda, Boris 

Ze: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jiirgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Björn 

Betreff: AW: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


soeben habe ich den Reiseplan von Herrn Daniels erhalten und füge ihn anbei. Soviel vorab: Er nimmt die 
Einladung zum Abendessen gerne an und bedankt sich. Die Gesprächsthemen hatte ich bereits übermittelt. 
Wenn das Restaurant und die Uhrzeit genau feststehen, können Sie es mich ja wissen lassen, dann gebe ich 
das weiter. 


November 11 
Depart Washington, DC (in the evening) 


November 12 
Arrive Frankfurt (in the morning) 
” Dinner with BKA President Ziercke 


November 13 

Keynote speech at 10:00am 

Travel to Berlin 

Meetings with German Government officials - 
Dinner with Cornelia Rogall-Grothe 


November 14 
Depart Berlin (in the morning) 


Beste Grüße 


Michael Vogel 


Von: Franßen-Sanchez de la Cerda, Boris 





MAT A BMI-1-11e_12.pdf, Blatt 502 


Gesendet: Dienstag, 10. September 2013 21:50 

An: Vogel, Michael, Dr. : 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Treib, Heinz Jürgen; Binder, 
Thomas; Klee, Kristina, Dr.; Banisch, Björn 

Betreff: WG: Besuch Michael Daniel in Deutschland 


900 


Lieber Herr Vogel, 


Frau Stn RG wiirde Herrn Daniel gerne am 13.11.2013 zu einem Abendessen empfangen. Dies wäre die 
vorzugswürdige Option, weil Frau Stn RG am 14.11.2013 VM in Köln terminlich gebunden ist. Zur Not 
könnte sie sich dort auch vertreten lassen; das wäre aber die schlechtere Alternative. 


Besten Gruß 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 
Von: Vogel, Michael, Dr. 
Gesendet: Freitag, 30. August 2013 00:41 
o Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen 
Betreff: Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 
beim heutigen Gesprüch mit Herrn Scott habe ich Ihre Themenwünsche übermittelt. 


Der Reiseplan von Michael Daniel ist noch nicht vollständig gesichert. Idealerweise soll er wie folgt 
aussehen, was sich aber binnen der kommenden 2 Wochen klären wird: 


- 12.11.2013 Anreise Wiesbaden/BKA 


- 13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


o 14.11.2013 Gespráche in Berlin (US-Botschaft, Stn RG und AA Cyber Koordinator) 
Weiterreise 


Entsprechend bóte sich nach derzeitigem Stand entweder ein Abendessen am 13.11.13 oder ein Treffen tags 
darauf an. Wo lägen Ihre Präferenzen? T i 


Wahrscheinlich wird Herr Daniels mit P BKA, BfV und BSI im Rahmen der Tagung zusammentreffen. 
Unabhängig von der Feinabstimmung der Themen würde Herr Daniels gerne das Thema "Framework for 
collective actions" sprechen. Konkret geht es darum ein Rahmenwerk zu schaffen, aus dem klar hervorgeht, 
wie man im Rahmen der internationale Kooperation gemeinsam vorgehen kann (welche rechtliche 
Möglichkeiten in den jeweiligen Staaten bestehen um z. B. aktiv gegen DDoS-Attacken vorgehen kann etc.) 
Beste Grüße 


Michael Vogel 
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Von: Franßen-Sanchez de la Cerda, Boris 501 
Gesendet: Donnerstag, 29. August 2013 10:37 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


nach gegenwártiger Planung wird Frau Stn RG nicht an der BKA-Tagung teilnehmen. Ein Treffen müsste 
also für Berlin "beplant" werden. 


Viele Grüße 
Boris Franßen-de la Cerda 


Von: Vogel, Michael, Dr. 
Gesendet: Mittwoch, 28. August 2013 21:47 
e ^n: Franßen-Sanchez de la Cerda, Boris 
Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn; Treib, Heinz Jürgen | 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-de la Cerda, 


ich werde morgen mit Herrn Scott zusammentreffen (14 Uhr Ortszeit). Wird Frau Rogall-Grothe evtl. an der 
BKA-Tagung teilnehmen? Das gübe uns die Option, ein Treffen vor Ort zu organisieren, wenn dies in ihren 
Terminplan passt. | 


Beste Grüße 
Michael Vogel 


----- Ursprüngliche Nachricht---— . 
Von: Franßen-Sanchez de la Cerda, Boris 
O sesenact: Montag, 26. August 2013 10:49 
An: Vogel, Michael, Dr. 
Ce: Schallbruch, Martin; Dürig, Markus, Dr.: Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Björn | 
Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Vogel, 


wie erbeten übersende ich die nachfolgenden Themenvorschläge des IT-Stabs für das angedachte Gespräch 
von Stn RG mit dem Cyberkoordinator des Weißen Hauses: 


- Stand Gesetzgebung Kritis-Schutz gegen Cyber- Angriffe in USA und D, 
- Entwicklung des Themas Cyber in D in der 18. LP, 

- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 

- Internationales: 

- Seoul-Conference (17./18.10.), 

- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 

- capacity builiding, 
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- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 502 
Besten Gruß 
Boris Franßen-de la Cerda 


Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 22. August 2013 18:49 

An: Franßen-Sanchez de la Cerda, Boris; Vogel, Michael, Dr. 

Ce: Schallbruch, Martin; Dürig, Markus, Dr.; Dimroth, Johannes, Dr.; Binder, Thomas; Klee, Kristina, Dr.; 
Banisch, Bjórn 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 


Lieber Herr Franßen-Sanchez de la Cerda, 
Besten Dank. 


o habe mich mit dem BKA VB abgestimmt und werde Hr: Scott auch treffen. Das Treffen wird wohl 
kommende Woche stattfinden. VB BKA uebernimmt die Organisation hierfuer. 


. Welche ungefaehren Gespraechsthemen/-wuensche darf ich avisieren? 
Beste Gruesse 


Michael Vogel 


Gesendet von meinem HTC 


---—-- Ursprüngliche Nachricht ----- 
Von: Franßen-Sanchez de la Cerda, Boris | 


<Boris.FranssenSanchezdelaCerda@bmi.bund.de<mailto:Boris.FranssenSanchezdelaCerda@bmi.bund.de> 


> 
Gesendet: Donnerstag, 22. August 2013 03:57 
o... Vogel, Michael, Dr. «Michael. Vogel(g)bmi.bund.de«mailto: Michael. Vogel@bmi.bund.de>> 

Cc: Schallbruch, Martin <Martin.Schallbruch@bmi.bund.de<mailto:Martin.Schallbruch bmi.bund.de>>; 
Dürig, Markus, Dr. <Markus.Duerig@bmi.bund.de<mailto:Markus.Dueri bmi.bund.de>>; Dimroth, 
Johannes, Dr. <Johannes.Dimroth@bmi.bund.de<mailto:Johannes.Dimroth bmi.bund.de>>; Binder, 
Thomas <Thomas.Binder@bmi.bund.de<mailto:Thomas. Binder. bmi.bund.de>>; Klee, Kristina, Dr. 
<Kristina.Klee@bmi.bund.de<mailto:Kristina.Klee@bmi.bund.de>>; Banisch, Björn | 
<Bjoern.Banisch@bmi.bund.de<mailto:Bjoern.Banisch@bmi.bund.de>> 

Betreff: AW: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 






Lieber Herr Vogel, 


Frau Stn Rogall-Grothe würde es nachdrücklich begrüßen, wenn es gelänge, einen Termin mit Herrn Daniel 
zu vereinbaren. 


Ich wäre Ihnen daher sehr dankbar, wenn sie nicht nur dem BKA-VB das hiesige Interesse signalisieren 
könnten, sondern nach Möglichkeit auch selbst an dem Sondierungsgespräch teilnehmen könnten, um 
gegenüber Herrn Scott das hiesige Interesse zu unterstreichen. 
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Besten Gruß aus Berlin, | | 503 
BFdlC - 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Mittwoch, 21. August 2013 16:57 

An: Franßen-Sanchez de la Cerda, Boris; Dürig, Markus, Dr. 

Cc: Schallbruch, Martin; Klee, Kristina, Dr.; Binder, Thomas; Banisch, Bjórn; Dimroth, Johannes, Dr. 
Betreff: Bitte um Abstimmung - Besuch Michael Daniel in Deutschland 

Wichtigkeit: Hoch 


Lieber Herr Franßen de la Cerda, 
Lieber Herr Dürig, 


der Cyberkoordinator des Weissen Hauses, Michael Daniel, wird im November 2013 bei der BKA- 
Herbsttagung in Wiesbaden eine Rede halten. 


| P er in Deutschland weilt, bietet es sich für ihn an, weitere Gespráche mit kompetenten Partnern in Berlin 
zu führen. M. E. bóte es sich sehr an, einen Termin mit Frau Stn RG und/oder Herrn Schallbruch zu 
vereinbaren und nicht dem AA mit dem neuen Cyber-Koordinator das Feld allein zu überlassen. Das AA 
. weiß schon über die Reise Bescheid. 


Der BKA-VB trifft sich mich in dieser oder kommender Woche mit Daniels Mitarbeiter Andrew Scott, der 
ihn wohl auch nach D begleiten wird. Für die Vermittlung weiterer Gespräche ist er recht kurzfristig auf 
Hinweise angewiesen. Soll ich ihm unser Interesse signalisieren und dazu ggf. an dem Sondierungsgesprüch 
teilnehmen? 


Michael Vogel : 
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Von: Dürig, Markus, Dr. 
Gesendet: Samstag, 19. Oktober 2013 02:33 
An: Dimroth, Johannes, Dr.; RegIT3 
Cc Mantz, Rainer, Dr.; Treib, Heinz Jürgen; SVITD ; ITD - 
Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Dimroth, 

bitte bereiten Sie den Termin wie abgesprochen vor. Ich habe auch mit Herrn Treib gesprochen, dass Sie am 
Abendessen teilnehmen, weil Sie den Termin vorbereiten, wenn Sie es einrichten kónnen. 

Hier habe ich vom Mitarbeiter von Daniel erfahren, dass dieser auch das Thema "nationale 
Sicherheitsanforderungen an IT-Dienstleister" ansprechen will, weil diese den global aufgestellten US-Konzernen das 
Geschäftsmodell zerstören würden. 

Hierzu bitte vor der Bearbeitung kurze R. 

BG 

MD 


e Dr. Markus Dürig 
Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 
Tel.: 030 18 681 1374 
PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 
-----Urspriingliche Nachricht----- 
Von: StRogall-Grothe_ 
Gesendet: Freitag, 18. Oktober 2013 17:59 
An: IT3, ; Dürig, Markus, Dr. 
Cc: Treib, Heinz Jürgen; ITD_; SVITD 
Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Dürig, 


unter Bezugnahme auf die nachstehende Mail bitte ich um Terminvorbereitung des Abendessens mit Herrn Daniel 
o" zum 6.11.2013. 


Von hier aus waren folgende Themenvorschläge an die US-Seite übermittelt worden: 
- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 
- Entwicklung des Themas Cyber in D in der 18. LP, 
- PRISM und Ausblick auf Datenschutz und sicherheit i in D, 
- Internationales: 
- Seoul-Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkanferenseh 2014, 
- capacity builiding, 
- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Seitens Herrn Daniel ist derzeit das folgende Thema benannt: 

"Framework for collective actions" - Schaffung eines Rahmenwerks für ein gemeinsames Vorgehen im Rahmen 
internationaler Kooperation (welche rechtliche Móglichkeiten bestehen in den jeweiligen Staaten, um z.B. aktiv 
gegen DDoS-Attacken vorgehen kann etc.). 


Besten Dank und Gruß 
LA. 
- Boris Franßen-de la Cerda 
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-—-Ursprüngliche Nachricht----- 

Von: StRogall-Grothe - 

Gesendet: Freitag, 18. Oktober 2013 17:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Treib, Heinz Jürgen; Hannemann, Kristin; Binder, Thomas; Klee, Kristina, 
Dr. 

Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Vogel, 
nach Rücksprache mit Frau Stn RG kann die Delegation auf US-Seite gerne aus insg. 5 Personen bestehen. 


Von hiesiger Seite würden an dem Gesprách von Frau Stn RG mit Herrn Daniel neben Herrn IT-D noch Herr Dr. Dürig, 
Herr Treib und Uz. teilnehmen. 


Que Sie, lieber Herr Vogel, auch teilnehmen? Ich meine, die US-Seite dürfte nichts dagegen haben, wenn beide 
Deleg. nicht "strikt ausgeglichen" sind, oder? 


Das Abendessen wird - wie bereits avisiert - am 13.11.2013 um 19 Uhr im 
Berlin Capital Club (am Gendarmenmarkt) 

Mohrenstraße 30 

10117 Berlin 

stattfinden. 


Protokoll wird die US Delegation in Empfang nehmen. 


Besten Gruß 
Boris Franßen-de la Cerda 


-----Urspriingliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 10. Oktober 2013 18:40 

An: Lühmann, Hendrik; StRogall-Grothe i: l 

Cc: Hannemann, Kristin; Protokol! Inland; Krahn, Kathrin; Loose, Katrin 

Betreff: AW: Re: AW: Re: AW: RE: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Hendrik, 


Anbei die Antwort der US-Botschaft. 
Es würden 5 Personen auf US-Seite sein. Ich nehme an, dass das ok ist fuer Euch. 


Viele Gruesse 
Michael 


Gesendet von meinem HTC 
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-—-- Urspriingliche Nachricht —--- 

Von: Evans, Bradley R <EvansBR@state.gov> 

Gesendet: Donnerstag, 10. Oktober 2013 11:38 

An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 

Cc: Hannemann, Kristin <Kristin.Hannemann@bmi.bund.de> 

Betreff: Re: AW: Re: AW: RE: Michael Daniel's trip to Germany (Week of November 11) 
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Von: Dürig, Markus, Dr. 

Gesendet: Montag, 21. Oktober 2013 08:06 

An: Dimroth, Johannes, Dr.; RegIT3 

Ce: Mantz, Rainer, Dr.; Treib, Heinz Jürgen; SVITD ; ITD 

Betreff: AW: Michael Daniel's trip to Germany (Week of November 11) 


Noch ein ergänzendes Thema: 
How to achieve global standards for more cyber security? 


BG MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 

----- Urspriingliche Nachricht----- 

Von: Dürig, Markus, Dr. 

Gesencet: Samstag, 19. Oktober 2013 02:33 

An: Dimroth, Johannes, Dr.; RegIT3 

Cc: Mantz, Rainer, Dr.; Treib, Heinz Jürgen; SVITD_; ITD_ 

Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Dimroth, 

bitte bereiten Sie den Termin wie abgesprochen vor. Ich habe auch mit Herrn Treib gesprochen, dass Sie am 
Abendessen teilnehmen, weil Sie den Termin vorbereiten, wenn Sie es einrichten können. 

Hier habe ich vom Mitarbeiter von Daniel erfahren, dass dieser auch das Thema "nationale 
Sicherheitsanforderungen an IT-Dienstleister" ansprechen will, weil diese den global aufgestellten US-Konzernen das 
Geschäftsmodell zerstören würden. 

Hierzu bitte vor der Bearbeitung kurze R. 

BG 

MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit Bundesministerium des Innern Alt-Moabit 101 D 
10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 

email:markus.duerig@bmi.bund.de 

-----Ursprungliche Nachricht——- 

Von: StRogall-Grothe_ 

Gesendet: Freitag, 18. Oktober 2013 17:59 

An: IT3_; Dürig, Markus, Dr. 

Cc: Treib, Heinz Jürgen; ITD_; SVITD_ 

Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Dürig, 


unter Bezugnahme äuf die nachstehende Mail bitte ich um Terminvorbereitung des Abendessens mit Herrn Daniel 
bis zum 6.11.2013. 
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Von hier aus waren folgende Themenvorschläge an die US-Seite übermittelt worden: 
- Stand Gesetzgebung Kritis-Schutz gegen Cyber-Angriffe in USA und D, 
- Entwicklung des Themas Cyber in D in der 18. LP, 
- PRISM und Ausblick auf Datenschutz und -sicherheit in D, 
- Internationales: 
- Seoul- Conference (17./18.10.), 
- Weltgipfel der Informationsgesellschaft 2015, Vorkonferenzen 2014, 
- capacity builiding, 
- EU: Cyber-Sicherheitsstrategie und NIS Richtlinie. 


Seitens Herrn Daniel ist derzeit das folgende Thema benannt: 

"Framework for collective actions" - Schaffung eines Rahmenwerks für ein gemeinsames Vorgehen im Rahmen 
internationaler Kooperation (welche rechtliche Möglichkeiten bestehen in den jeweiligen Staaten, um z.B. aktiv 
gegen DDoS-Attacken vorgehen kann etc.). 


- Besten Dank und Gruß 
[.A. 
Boris Franßen-de la Cerda 


©; Stn RG | HR: 1105 


-----Ursprüngliche Nachricht----- 

Von: StRogall-Grothe_ 

Gesendet: Freitag, 18. Oktober 2013 17:49 

An: Vogel, Michael, Dr. 

Cc: Schallbruch, Martin; Dürig, Markus, Dr.; Treib, Heinz Jürgen; Hannemann, Kristin; Binder, Thomas; Klee, Kristina, 
Dr. 

Betreff: WG: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Herr Vogel, 
nach Rücksprache mit Frau Stn RG kann die Delegation auf US-Seite gerne aus insg. 5 Personen bestehen. 


e Von hiesiger Seite würden an dem Gespräch von Frau Stn RG mit Herrn Daniel neben Herrn IT-D noch Herr Dr. Dürig, 
Herr Treib und Uz. teilnehmen. 


Wollen Sie, lieber Herr Vogel, auch teilnehmen? Ich meine, die US-Seite dürfte nichts dagegen haben, wenn beide 
Deleg. nicht "strikt ausgeglichen" sind, oder? 


Das Abendessen wird - wie bereits avisiert - am 13.11.2013 um 19 Uhr im 
Berlin Capital Club (am Gendarmenmarkt) 

Mohrenstraße 30 

10117 Berlin 

stattfinden. 


Protokoll wird die US Delegation in Empfang nehmen. 


Besten Gruß 
Boris Franßen-de la Cerda 
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-—--Ursprüngliche Nachricht----- 

Von: Vogel, Michael, Dr. 

Gesendet: Donnerstag, 10. Oktober 2013 18:40 

An: Lühmann, Hendrik; StRogall-Grothe_ 

Cc: Hannemann, Kristin; Protokoll Inland; Krahn, Kathrin; Loose, Katrin 

Betreff: AW: Re: AW: Re: AW: RE: Michael Daniel's trip to Germany (Week of November 11) 


Lieber Hendrik, 


Anbei die Antwort der US-Botschaft. 
Es würden 5 Personen auf US-Seite sein. Ich nehme an, dass das ok ist fuer Euch. 


Viele Gruesse 
Michael 
Gesendet von meinem HTC 


----- Ursprüngliche Nachricht ----- 
Qo. Evans, Bradley R <EvansBR@state.gov> 
Gesendet: Donnerstag, 10. Oktober 2013 11:38 
An: Vogel, Michael, Dr. <Michael.Vogel@bmi.bund.de> 
Cc: Hannemann, Kristin <Kristin.Hannemann@bmi.bund.de> 
Betreff: Re: AW: Re: AW: RE: Michael Daniel's trip to Germany (Week of November 11) 





MAT A BMI-1-11e 12.pdf, Blatt 512 


910 


Strahl, Claudia 
nn 


Von: Dürig, Markus, Dr. 

Gesendet: Montag, 4. November 2013 17:30 

An: Treib, Heinz Jürgen; RegIT3 

Betreff: neues Votum zum BEsuch von M Daniel im BMI 


Lieber Herr Treib, 
Stn RG will doch noch mal ein neues Votum bez. des Besuchs — Absage ist durch H Vogel noch nicht weitergeleitet 
worden. 


Bitte überarbeiten Sie das Votum zur Besuchsanfrage von M Daniel bei Stn RG dahingehend, dass wir grds. Positiv 
votieren, trotz der „Großwetterlage“ mangels einer Weisung des BK business as usual betreiben sollten und daher 
keine Absage, aber eine Warhnehmung des Termins durch H IT D erfolgen sollte. 
Themen: 
- Klarstellung der Nichtakzeptierbarkeit des Abhórens des Handys der Regierungschefin (ebenso von 
Ministern), 
- Große Themen der Cyber-Politik: norms of state behaviour. 
Q.o des ersten Themas kann man dann nicht über kritis-Schutz und Standards reden. 


Bitte bis Die, 12.00 h. 
Gruf$ und Dank 
MD 


Dr. Markus Dürig 

Leiter des Referates IT 3 - IT-Sicherheit 
Bundesministerium des Innern 
Alt-Moabit 101 D 

10559 Berlin 

Tel.: 030 18 681 1374 

PC-Fax.: +49 30 18 681 5 1374 
email:markus.duerig@bmi.bund.de 
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Strahl, Claudia 
En 


Von: Treib, Heinz Jürgen 

Gesendet: Dienstag, 5. November 2013 17:59 
An: Dürig, Markus, Dr. 

Cc: IT3 ; RegIT3 


Betreff: Gesprách mit Herrn Daniel (Cyber Koordinator WH) am 13. November 2011 


Bitte weiterleiten 


c — — nn Schnipp-------—--------------—----------------------_---_-----------__--------- esee 


SSS SSS SSS SPS SS SSS SS SS ee a nn 
—— ee ee ee m ee ee EI III oem 


Frau 
Stn Rogall-Grothe 


über 


Herrn IT Direktor 
Herrn SVITD 
Herrn Refi. IT 3 


Votum: 


Angebot an Herrn Michael Daniel für ein Gespräch/Abendessen mit Herrn IT D am 13. November 2013 in Berlin. 


Sachverhalt: 


o Herr Michael Daniel hat folgende noch nicht gesicherte Reiseplanung im Zusammenhang mit seiner Teilnahme an 
der BKA Herbsttagung: 


- 12.11.2013 Anreise Wiesbaden/BKA 


- 13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespráche in Berlin (US-Botschaft, ggf. AA Cyber Koordinator, Herr Dirk Brengelmann) 
Weiterreise 


Herrn Daniel wurde bei dieser Sachlage über den DHS-Verbindungsbeamten, Herrn Michael Vogel, ein 
Gesprächstermin und ein gemeinsames Abendessen mit Ihnen angeboten: | 

Nach ursprünglicher Planung war dafür der 13. November 2013 im Capital Club (Mohrenstraße 30) ab 19:00 Uhr 
vorgesehen. Das Protokoll hatte sich bereits um die Reservierung des Raumes und des Menüs gekümmert, auch ein 
Dolmetscher wurde bereits organisiert. 

Im Ergebnis einer Rücksprache am 1. Nov. 2013 wurde Referat IT 3 gebeten, den Termin aufgrund der Vielfalt Ihrer 
Termine im Zuge der Regierungsbildung abzusagen. 
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Bewertung: 


Es ist davon auszugehen, dass Ihre Absage des Termins mit Blick auf die vielfältigen Verpflichtungen in Zeiten der 
Regierungsbildung in DEU auf US-Seite grundsätzlich auf Verständnis treffen wird. 

Allerdings stehen wir in der Gefahr, dass eine ersatzlose Absage im derzeitigen Klima der NSA-Affäre pp. als 
unfreundlicher Akt aufgefasst werden könnte, der sich möglicherweise mit Blick auf die zukünftige Zusammenarbeit 
mit USA im Bereich Cyber Security allgemein und darüber hinaus im Rahmen der grundsätzlich vertrauensvollen 
Zusammenarbeit des BMI mit dem DHS negativ auswirken könnte. 
Nachdem es keine neue richtungsgebende Weisung des BK Amtes hinsichtlich der bilateralen Kommunikation mit 
USA gibt, spricht aus fachlicher Sicht vieles dafür, fachbezogen den Anschein neuerdings unfreundlicherer deutscher 
Umgangsformen zu vermeiden. Gleichzeitig sollten alle Gelegenheiten genutzt werden, die aus hiesiger Sicht 
bestehenden Probleme angemessen auszusprechen. 

Ein Ersatzangebot im Sinne des Votums wäre vor diesem Hintergrund eine passende Alternative. Hierbei wäre 
gegenüber dem WH-Vertreter und dessen Delegation (ggf. auch Vertreter State Department) die nicht hinnehmbare 
Überwachungspraxis sowie das Abhóren von Mobiltelefonen von Regierungschefin und Regierungsmitgliedern pp. 


zu thematisieren. Darüber hinaus wäre als „business as usual” ein Austausch zum Thema „Norms of State Behavior" 
hilfreich. 


eo 


Treib 
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Von: Schallbruch, Martin 







Gesendet: Mittwoch, 6. November 2013 13:05 
An: StRogall-Grothe 
Cc: Dimroth, Johannes, Dr.; Dürig, Markus, Dr.; IT3_; Batt, Peter 
Betreff: Besuch von Herrn Michael Daniel am Rande der BKA Herbsttagung am 13. 
November 2013 in Berlin Fo WM NO 
: | Re Ri ae des Innern 
Wichtigkeit: Hoch ye 
Bmw 7 B. Nov, 2013 
IT 3- 17002/1087 . 


Du a a SS a a een Gem GENE E em d M 


Frau » De Hau fe. Yy Km 
Stn Rogall-Grothe La M | E Tit 


@..: -— = (| (TR 
Herrn IT Direktor (Sb 6.11. — ich kann das Abendessen vertretungsweise übernehmen, pladiere aber nach wie vor für 
eine Wahrnehmung des Termins auf St-Ebene. Nach Mitteilung von Herrn 5t F hat ChBK schon unmittelbar nach 
Bekanntwerden der Vorwürfe gegen die NSA im Bezug auf das Handy der BK'n entschieden, dass keine Gespráche 
deswegen abgesagt werden. Auch die BK'n selbst hat mehrfach deutlich gemacht, dass sie die Beziehungen zu den 
USA — unbeschadet der von den USA erwarteten Antworten und Verpflichtungen - weiter pflegen wird. Aus meiner 
Sicht ist die Cybersicherheit ein wichtiges Thema gemeinsamen Interesses, Michael Daniel hat speziell hierzu 
Gesprächswünsche, die grds. auch unsere Interessen treffen. Insbesondere bei den von der neuen Koalition 
geplanten Mindestsicherheitsanforderungen für Kritische Infrastrukturen ist uns an einer Harmonisierung mit dem 
US-Framework sehr gelegen. Ci. jar (2^ ae 
Daher sollte m.E. das Gespräch durch Frau St’n RG wie ursprünglich vorgesehen geführt werden. Neben den 
Gesprächen auf Fachebene (Ziercke, Maaßen, Brengelmann) wäre das Gespräch mit Frau St'n RG das einzige 
Gespräch auf politischer Ebene und damit das wichtigste Gespräch des Daniel-Besuchs. Zu der Frage, wie sich Frau 
St'n RG in Sachen NSA-Thematik gegenüber He. Daniels auslässt, würde ich ein vorheriges Telefonat mit He. 
Heusgen empfehlen.] 

e: SV IT D [i.V. Sb 6.11.] 
Herrn Refi. IT 3 (iV JD 06/11) 






Votum: 
Angebot an Herrn Michael Daniel für ein Gespräch/Abendessen mit Herrn IT D am 13. November 2013 in Berlín. 
Sachverhalt: 


Herr Michael Daniel hat folgende noch nicht gesicherte Reiseplanung im Zusammenhang mit seiner Teilnahme an 
der BKA Herbsttagung: 


- 12.11.2013 Anreise Wiesbaden/BKA 


- 13.11.2013 Teilnahme an BKA-Tagung (gesichert) 
Weiterreise nach Berlin 


- 14.11.2013 Gespräche in Berlin (US-Botschaft, ggf. AA Cyber Koordinator, Herr Dirk Brengelmann) 
Weiterreise | 
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Herrn Daniel wurde bei dieser Sachlage über den Verbindungsbeamten im DHS, Herrn Michael Vogel, ein 
Gesprächstermin und ein gemeinsames Abendessen mit Ihnen angeboten: - 

Nach ursprünglicher Planung war dafür der 13. November 2013 im Capital Club (Mohrenstraße 30) ab 19:00 Uhr 
vorgesehen. Das Protokoll hatte sich bereits um die Reservierung des Raumes und des Menüs gekümmert, auch ein 
Dolmetscher wurde bereits organisiert. 

Im Ergebnis einer Rücksprache am 1. Nov. 2013 wurde Referat IT 3 gebeten, den Termin aufgrund der Vielfalt Ihrer 
Termine im Zuge der Regierungsbildung abzusagen. 


Bewertung: 


Es ist davon auszugehen, dass Ihre Absage des Termins mit Blick auf die vielfáltigen Verpflichtungen in Zeiten der 
Regierungsbildung in DEU auf US-Seite grundsätzlich auf Verständnis treffen wird. 
Allerdings stehen wir in der Gefahr, dass eine ersatzlose Absage im derzeitigen Klima der NSA-Affäre pp. als 
unfreundlicher Akt aufgefasst werden könnte, der sich möglicherweise mit Blick auf die zukünftige Zusammenarbeit 
mit USA im Bereich Cyber Security allgemein und darüber hinaus im Rahmen der grundsätzlich vertrauensvollen 
Zusammenarbeit des BMI mit dem DHS negativ auswirken könnte. 
Nachdem es keine neue richtungsgebende Weisung des BK Amtes hinsichtlich der bilateralen Kommunikation mit 
o gibt, spricht aus fachlicher Sicht vieles dafür, fachbezogen den Anschein neuerdings unfreundlicherer deutscher 
4mgangsformen zu vermeiden. Gleichzeitig sollten alle Gelegenheiten genutzt werden, die aus hiesiger Sicht 
bestehenden Probleme angemessen auszusprechen. 
Ein Ersatzangebot im Sinne des Votums wäre vor diesem Hintergrund eine passende Alternative. Hierbei wàre 
gegenüber dem WH-Vertreter und dessen Delegation (ggf. auch Vertreter State Department) die nicht hinnehmbare 
Überwachungspraxis sowie das Abhóren von Mobiltelefonen von Regierungschefin und Regierungsmitgliedern pp. 
zu thematisieren. Darüber hinaus wäre als „business as usual" ein Austausch zum Thema ,Norms of State Behavior" 
hilfreich. 


l.A. 


Treib 
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Strahl, Claudia 
En 


Von: Treib, Heinz Jürgen 

Gesendet: Montag, 11. November 2013 12:20 

An: Mantz, Rainer, Dr. 

Cc: Dürig, Markus, Dr.; RegIT3; IT3 ; Dimroth, Johannes, Dr.; Koch, Theresia; 
Gitter, Rotraud, Dr. l 

Betreff: Inhaltliche Vorbereitung für das Gespräch/Abendessen von Frau Stn RG mit 


Herrn Michael Daniel, White House . 


Bitte weiterleiten: Herr Dr. Dimroth und Frau Dr. Gitter waren an der Erstellung des SZ beteiligt. 





e FINAL - Speech to Vita M SZ Cybersecurity 
the BKA Conf... Daniel,docx incl, NIS.doc... 


ee d 


IT 3 - 17002/10#7 


nn 
TTS SSS SST SSS SS at SSS Sth SSS SEES 0 0m 


SSS SS SSSrr SSS SrrS SSS StS SSS SSS ee 
ee ee m ee 


Frau 
Stn Rogall-Grothe 


über 
Herrn IT Direktor 


Herrn SVITD 
Herrn Refl. IT 3 


Votum: 
Das Gesprách im Rahmen des Abendessens mit Herrn Michael Daniel an dessen Rede im Rahmen der BKA Konferenz 
anknüpfen. 


Sachverhalt: 


Herr Michael Daniel hat folgende Reiseplanung am Rande der BKA Herbsttagung: 


12. November 
19:30 Abendessen mit Herrn P BKA, Jórg Ziercke, 


13. November 
11:00-11:30 Treffen mit Herrn P BfV, Hans-Georg Maaßen, 


1 
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19:00 Abendessen mit Frau Stn Rogall Grothe 


Das Programm kam auf Vermittlung durch Herr Dr. Vogel (Verbindungsbeamter des BMI im US DHS) zustande. 
Das Abendessen findet im Capital Club (Mohrenstraße 30) ab 19:00 Uhr statt. Die Organisation läuft über das 
Protokoll, ein Dolmetscher wurde organisiert. 


Bewertung: 


Von US-Seite wurde Besprechungsbedarf zu einigen Themen mitgeteilt, die in der uns vorab übermittelten Rede des 
Herrn M Daniel für die BKA Konferenz zur angesprochen werden: 


EU Cybersecurity Directive 

Germany’s domestic efforts and national strategy on cybersecurity 

The U.S. Executive Order and cybersecurity legislation 

Opportunities for enhancing U.S.-German cooperation on cybersecurity 
Emerging norms of state behavior in cyberspace in peacetime 

U.S. and German engagement with other countries 


Bei dieser Sachlage bietet es sich an, ein Gespräch inhaltlich an die Aussagen in der Rede anzuknüpfen und dabei 
folgende Ziele zu verfolgen: ; 


e Politische und strategische Gemeinsamkeiten und ggf. graduelle Unterschiede in der Cybersecurity 
Poliktikgestaltung herausarbeiten, 


e Prinzipien für staatliche Überwachung im Kontext „Normen für akzeptables staatl. Verhalten“ (einschließlich 
Konsequenzen aus aktueller Berichterstattung zur Abhörpraxis der Nachrichtendienste) erörtern und 


e Neue Wege im Bereich Internet Governance/Capacity Building diskutieren. 
Ein entsprechender Gesprächsvorschlag, die Rede und ein Lebenslauf von Herrn M Daniel sind beigefügt. 


Entsprechend der US Delegationsstärke (soweit hier bekannt 5 Personen) werden auf DEU Seite noch Herr IT D, 
©... Mantz und Vogel, Herr Franßen-Sanchez de la Cerda und Herr Treib teilnehmen. 


LA. 


Treib 
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REMARKS BY SPECIAL ASSISTANT TO THE PRESDENT AND WHITE HOUSE 
CYBERSECURITY COORDINATOR MICHAEL DANIEL 


German BKA Conference 
“Cybercrime: Threat, Intervention, Defense” 
November 13, 2013 


OPENING COMMENTS 


Good morning everyone. Thank you for the kind introduction. It’s a pleasure to be here with you 
here in Wiesbaden for the BKA’s annual conference — particularly this one given its focus on 
“Cybercrime: Threat, Intervention, Defense.” I'd like to congratulate our German hosts for 
putting on such an excellent event. 


My name is Michael Daniel, and I currently serve as Special Assistant to the President and 
Cybersecurity Coordinator at the White House. 


In my role, I lead the United States Government’s development of national cybersecurity strategy 
and policy and oversee the implementation of those policies on behalf of President Obama. 


One of the great parts of this job is to getting to engage and listen to a diverse range of 
representatives from across government, the private sector, and academia. I’ve particularly been 
looking forward to this conference; this is my first trip to Europe in my Capacity as the 
Cybersecurity Coordinator. 


Today, I would like to provide an overview of some of the U.S. Government’s current thinking 
on cybersecurity, including our priorities, areas of potential challenges and opportunities, and 
how the United States and Germany can work together to improve our collective security in 
cyberspace. 


THE “NEW NORMAL” 


But first, I’d like to briefly talk about the challenges we face in cyberspace. As all of you know, 
cyber threats pose a significant problem for governments and businesses alike. From the White 
House perspective, three trends make the cyber threat particularly troubling: 


e First, the threat is becoming broader and more diverse — as we hook more and more items 
up to the Internet, the potential vectors for attack are growing exponentially, making the 
area we need to defend ever bigger. And we are continually connecting new and 
different things to the Internet — think everything from cars to coffee makers to 
distributed sensors - so the problem of defense is even more challenging than “simply” 
protecting desktops connected by wires. 


e Second, the threat is becoming more sophisticated — malware is getting harder and harder 
to detect, and it does more varied kinds of things. At the same time, you no longer have 
to be a coder to use malware. Not only are malicious developers making malware easier 
to use, in some cases, cybercriminals have established on-line help desks, so that if your 
malware doesn’t work, you can call and get help. 
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e Third, the threat is becoming more dangerous — malicious actors are showing an 
increasing willingness to be more destructive in their activities, as we have witnessed 
with the attack against Saudi Aramco last year and South Korean banks earlier this year. 


But what is ultimately more concerning is how “normal” these threats are becoming. The new 
normal is not massive power outages or train traffic grinding to a halt nationwide—those kinds 
of things are not "normal." At least, not yet. Rather, these trends are leading to a “new normal” 
that is less flashy than a Hollywood action movie, but still very troubling: persistent intrusions, 
violations of privacy, thefts of business information, and degradation and denial of service to 
legitimate entities trying to do business or getting their message out on the Internet. 


NO INTERIOR TO CYBERSPACE 





As we think about how to manage these threats, we have to keep in mind one unique 
characteristic of cyberspace. Traditionally, the argument has been that cyberspace has no 
borders, and that's both a strength (the free flow of information drives huge economic benefits) 
and a problem (it allows malicious actors great freedom of movement). 


But I would argue that such arguments are not entirely correct. There are borders and boundaries 
everywhere in cyberspace. Every place there is a firewall or a connection point, there is a 
border. Instead, what cyberspace lacks is an interior — there is no “inside” to our network spaces. 
Everyone effectively “lives” at the border. We are all connected through cyberspace, and that 
interconnectedness means that everything and everyone touches an edge or a border in some 
fashion. 


And this reality has some profound implications for how we organize ourselves a society to 
protect ourselves in cyberspace — and how I try to carry out my cybersecurity role. For example, 
in the physical world, we assign the mission of “border security" to the national government. 
But if everyone lives right at the border in cyberspace, then it's not physically possible to assign 
the "border security" mission to just one group or element of our society, even the national 
government. It becomes a shared mission, one that everyone in a country or society has a role in. 
And it means that conventional ways of thinking about threats need to change as well. For 
example, in many countries, citizens expect national governments to deal with “external” threats, 
while local governments tackle limited "internal" threats, like crime. But we have seen states 
taking malicious action through locally based servers and petty criminals stealing money from 
abroad; we can no longer simply use “external” and “internal” as the basis for allocating 
responsibility for action. 


GUIDING PRINCIPLES 





So how do we improve our collective security in a *new normal" of daily intrusions against 
individuals, businesses, and governments? If you were hoping that I would now supply the 
answers to these questions, I am afraid I am going to have to disappoint you. I don’t have those 
complete answers yet, nor do I think anyone does. However, I would like to highlight some of 
the principles we are following in the United States as we work to address this challenge. 
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Compromises Are Inevitable; Plan for Them. In living with this “new normal,” we cannot be 
surprised when intrusions and outages occur. Instead, we must be prepared. Businesses and 
governments alike should develop and test their cybersecurity incident response plans; use 
modern network defense best practices and technologies; and continuously monitor their 
networks under the assumption that they have been breached. And everyone should have 
contingency and fallback plans in place with service providers should all else fail. 


Information Must Be Shared, Frequently and Rapidly. Cybersecurity is a shared challenge 
and the international community has a shared responsibility in working together to address it. To 
do so, we all must be willing and able to share information about the respective threats we face. 
This requires collaboration at all levels: between governments; between government and 
industry; and between companies in the private sector. After all, the threats that we face today 
may be the threats you face tomorrow. 


Teamwork is a Requirement. In speeches back home, I often say: “cybersecurity is a team 
sport.” What I mean is that no single entity in our country can address this issue alone. Everyone, 
from the private sector to law enforcement to homeland security to civil society, has a role to 
play. This is true in the United States and I believe it is true internationally — if we are only as 
strong as the weakest link in our interconnected networks, we each share responsibility for the 
safety and security of one another. | 


Network Defense First. The risk of misattribution, miscalculation, and escalation in cyberspace 
is very real. As a government, we consider all of our cybersecurity and network defense 
activities against their possible foreign policy implications and our desire to establish 
international norms of acceptable behavior in cyberspace. We don’t want our response to a minor 
cyber incident to harm our relationships with other nations or worse, result in physical conflict. 
As a result, we will undertake network defense activities first and work hard to make these 
solutions effective before using other means of dealing with malicious activity. 


Protect Privacy and Civil Liberties. The United States firmly believes cybersecurity and 
privacy are mutually reinforcing, not in competition. Done properly, Cybersecurity protects 
privacy and civil liberties by strengthening the networks and systems that contain personal 
information—and we are taking steps to make that vision a reality. We are building protection 
for personal data into our cybersecurity framework for critical infrastructure; ensuring that our 
network defense actions reflect our commitment to protecting the privacy and civil liberties of 
the users of those networks; and engaging privacy advocates and other key stakeholders on 
discussions on how to safeguard privacy and civil liberties while supporting business and 
enhancing security. We also insist on strong privacy protections in any cybersecurity legislation 
that our Congress considers. All of our partners, both in the United States and internationally, 
must have confidence in our ability to protect information you choose to share with us. 


PUTTING THE PRINCIPLES IN PRACTICE INTERNATIONALLY 





We are putting these principles into practice across all of our cybersecurity efforts — both 
domestically and internationally. 


Protecting Critical Infrastructure 
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First, we are working to strengthen the cybersecurity standards and practices in our critical 
infrastructure sector. As a key step in this effort, earlier this year, President Obama signed an 
Executive Order directing several actions aimed at exactly this goal. In particular, the Executive 
Order strengthens the U.S. Government's partnership with critical infrastructure owners and 
operators to address cyber threats through information sharing, the protection of privacy and civil 
liberties, and the development of a framework of cybersecurity best practices and standards. 


We believe that governments have a clear role in helping private sector companies help 
themselves, especially when it comes to critical infrastructure owners and operators. To that 
end, the Executive Order requires the U.S. government to increase its efforts to share actionable 
information with those who need it the most — network defenders, companies, and other 
governments. We have already started this and want to do more of it. For example, we have 
shared hundreds of thousands of signatures and indicators of malicious cyber activity with the 
private sector and over a hundred nations just in the past six months. It also incorporates strong 
privacy protections by mandating that Federal agencies follow the Fair Information Practice 
Principles or FIPPs when implementing their cybersecurity actions. | 


But we recognized information sharing alone would never be enough; we also needed to raise the 
bar for cybersecurity in the United States. So, the Executive Order also directed the creation of a 
framework of cybersecurity best practices and standards for critical infrastructure. Over the last 
9 months, the U.S. government has collaborated with the private sector to develop this - 
framework. Let me be clear: the framework is not a scientific breakthrough in cybersecurity. It 
is actually more basic, outlining the best practices that many firms already do. What it does do, 
however, is provide a structured way for companies to think about their cybersecurity risk, 
determine their current level cybersecurity, and then decide what they would like their level to 
be. The framework then points to the standards and practices that, if implemented, will get 
companies to their desired cybersecurity level. 


We recently completed the preliminary draft of this framework. We think it is an excellent start, 
but we know it can and will be improved upon in the future. As part of the process for finalizing 
the preliminary draft, we have asked for companies, industry sectors — in fact, almost anyone — to 
implement the framework and provide us with feedback on what works and what does not. That 
request extends internationally as well — we welcome feedback from any government or any 
multinational company that chooses to provide it. As I said before, the United States does not 
have all the answers — by working with our international partners, we know we can achieve more 
together than we ever could individually. 


Norms Development and Foreign Policy 


Second, we are working to integrate cybersecurity as a core element of our foreign policy 
relationships with other countries. Since cybersecurity is a shared responsibility, it is not 
exclusively a domestic issue. 


In cyberspace, as elsewhere, states have a special responsibility to protect their own national 
security and promote peace and stability with other nations. Consequently, we continue to 
engage our Allies and partners worldwide to solidify norms of cyber behavior — what states and 
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other actors should and should not do in cyberspace — and to ensure the Internet remains open, 
interoperable, secure, reliable, and stable, following the principles outlined in the U.S. 
International Strategy for Cyberspace. In doing so, we are striving to create an environment in 
which everyone can benefit from cyberspace, in which cooperation is encouraged, and in which 
there is little incentive for states to disrupt or attack one another. 


But the truth is that actions speak louder than words. So to promote the norms we want, we must 
take the steps to make them a reality. We need to move to an environment where all countries 
routinely and quickly respond to requests for assistance in mitigating cybercrime and other 
malicious cyber activities emanating from their territory. The United States is committed to 
working with the international community to build the processes and capacity needed to respond 
to malicious activity through such collective action. 


Internet Governance 


Third, the United States remains steadfast in our support for an Internet governance model that 
supports international trade and commerce, strengthens international security and fosters free 
expression and innovation. We strongly believe that proposals advocating international 
regulation to curb the open and free nature of the Internet would slow the pace of innovation and 
economic development and could lead to unprecedented control over what people say and do 
online. Such proposals play into the hands of repressive regimes that wish to legitimize 
inappropriate state control of content. Instead, we believe that governments, the private sector, 
and civil society all have an important voice on the future of the Internet. If we truly believe that 
the path to economic growth and prosperity is through an open, connected world, we must 
strengthen—not weaken—the multistakeholder institutions that are critical to the management 
and administration of the Internet itself. 


Law Enforcement Cooperation 


Fourth, we believe that we must increase our ability to disrupt malicious activities in cyberspace. 
In order to achieve this goal, we must deepen our law enforcement cooperation across the 
international community, but particularly with Germany and other European allies. The United 
States and Europe have had several successes in recent years: 


e We established an EU-US Working Group on cybersecurity and cybercrime to identify 
common goals and actions to achieve those goals; 


e We have had success in getting more countries to ratify the Council of Europe 
Convention on Cybercrime and make it a truly global instrument for combatting 


cybercrime; and 


e Last year the United States and the EU launched the Global Alliance Against Child 
Sexual Abuse Online; 


All of these are notable achievements. But as technology continues to evolve, our legal responses 
must evolve with it. Issues such as data protection, law enforcement access to data across 
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borders, or information sharing between the public and private sector create new challenges for 
our law enforcement cooperation. We can, and must, ensure that our cooperation meets those 
challenges in order to address the ever-evolving threat from cybercriminals and non-state actors. 


Capacity-Building 


While I’ve talked at length about the United States’ cybersecurity efforts, we are mindful that 
many countries are still working to develop the industries, technologies, and connectivity 
necessary for economic development in the 21* century. To bridge that gap, we are committed to 
connecting more people around the world to the digital future. The United States believes — 
that expanded global access to telecommunications and broadband services—combined with an 
inclusive, multistakeholder-driven Internet governance model—remains the best path towards 
economic growth that benefits everyone. 


And finally, we are committed to assisting developing nations around the globe build their 
cybersecurity capacity. Across the U.S. government, we have established programs to help 
governments create cybersecurity policies and programs from the ground up. These programs 
help address any number of needs, such as developing rule of law in cyberspace; drafting 
national cybersecurity strategies; and creating computer emergency response teams. As just one 
example, the U.S. State Department has spent significant time and effort working with Senegal 
and Ghana to build long-term cybersecurity partnerships between the United States and fourteen 
states in West and Central Africa. 


We are only one country, however, and we do not have unlimited resources. Therefore, we are 
eager and willing to work with other nations on awareness-raising, legal and technical training, 
and other initiatives that will bolster our collective pursuit of an open, interoperable, secure, and 
reliable cyberspace. 


U.S.-EUROPEAN CYBER COOPERATION 





I would be remiss in giving this speech if I did not emphasize how much the United States values 
our cybersecurity partnership with Europe — and particularly with Germany. You have been, and 
will continue to be, a key ally in building a more safe and secure cyberspace: 


e As I mentioned above, on cybercrime, our law enforcement agencies have a long- 
standing and deep cooperative relationship and continue to work together on 
investigations and prosecutions. `- p 


e On incident response, our computer emergency response teams work together regularly to 
share threat information and address malicious cyber activity. In particular, we were 
deeply grateful for the timely and immediate assistance the German government provided 
earlier this year when we asked for help with ongoing denial of service attacks against 
our banks and financial sector. 
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e On foreign policy, our diplomats continue to be the staunchest of allies for our “like- 
minded” views on the applicability of international law to cyberspace and norms of 
behavior for states in cyberspace. 


We are committed to this partnership. While the United States and Germany at times differ in 
our opinion of the best way to build a more safe and secure cyberspace, we do agree on the 
importance of this mission. We cannot and must not lose sight of the fact that our cooperation 
and continued dialogue serves to strengthen and secure cyberspace for both our citizens. 


CONCLUSION 


I'd like to conclude with a few final thoughts: 


e First, while we must continue to be mindful of the threats we face, we must all improve 
our collective cybersecurity capability through collaboration and partnership. 


e Second, solving our cybersecurity challenges will not be easy and will require persistence 
from all of us. But as President Obama said in his State of the Union address earlier this 
year: “We cannot look back years from now and wonder why we did nothing in the face 
of real threats to our security and our economy.” 


e Finally, the Information Age has only just begun. While the issues we face are complex 
and challenging, we have an opportunity now to put the foundation in place for a safer 
and more secure future. I, for one, look forward to that challenge. 


Again, I'd like to thank our hosts of this conference for putting on such a wonderful event. I 
appreciate the opportunity to speak to all of you and look forward to our continued work to meet 
these challenges. Thank you. 
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Michael Daniel 


Special Assistant to the President and 
Cybersecurity Coordinator 


zustándig für Cyber Security Strategie und 
Umsetzung 


* 1971, in Atlanta 





verheiratet, 2 Kinder (2 Sóhne) 


Beruflicher Werdegang 
07/1992 — 08/1993 Southern Center for International Studies' 


Research Assistant 





1995 — 2012 Office of Management and Budget? 
National Security Division 
07/1995 — 09/2001: Operations Branch 


Navy und Marine Corps Operationen in 
Übersee (z. B. Bosnien und Kosovo). 


09/2001 — 06/2012: Intelligence Branch, Chief 





! Think Tank aus Atlanta 

? Das Office of Management and Budget (OMB) überwacht die Einhaltung und Befolgung der den 
Bundesbehörden zugeteilten Bundesprogramme im Sinne der Politik des Präsidenten. Außerdem hat 
das OMB eine wichtige Rolle als koordinierende Behórde: unter anderem bei der jährlichen Sammlung 
und Bekanntgabe der Budgetaufstellung des Präsidenten. 
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Aufsicht (Finanz- und Fachaufsicht) über 
die Nachrichtendienste der USA und 
deren Operationen (inkl. Cybersecurity) 


seit 2007: Koordinierung verschiedener Cyberse- 
curity Programme (z. B. Comprehensive 
National Cybersecurity Initiative - CNCI?) 
sowie Aufsicht über die Cyber Security 
Ausgaben der Bundesbehörden 





Studium: 


1988 — 1992: 


1993 — 1995 


2000 — 2001 


Public Policy | 
Bachelor: Woodrow Wilson School, Princeton University 


National Security 
Master of Public Policy: Kennedy School of Government, 
Harvard 


National Resource Strategy 
Master of Science: Industrial College of the Armed Forces, 
National Defense University 


Positionen zu Cybersecurity: 


e Er spricht sich für einen verstärkten Informationsaustausch zwischen 
. Wirtschaft und Regierungsstellen sowie innerhalb der Regierung aus, flankiert 
durch robuste Datenschutzbestimmungen 
e Ebenso unterstützt er einen "kollaborativen Ansatz" zur gemeinsamen Fin- 
dung von Mindeststandards zum Schutz Kritischer Kerninfrastrukturen. Um 
Unternehmen hierfür zu gewinnen, sollen Anreize für die Teilnahme 
geschaffen werden. 





? Die CNCI ist eine 2008 erlassene und von der aktuellen Administration fortgeschriebene politische 
Rahmenrichtlinie zur Verbesserung der Cybersecurity der USA. 
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Sonstiges: 


Gilt als relativ „unbeschriebenes Blatt“ in der Szene. Selbst Washington-Insidern war 
er bis zur jetzigen Verwendung im WH unbekannt. In einschlägigen Fachkreisen 
genießt DANIEL einen exzellenten Ruf. Er wird beschrieben als sorgfältiger Zuhörer 
mit echten Führungsqualitäten, der schnell den Kern eines Problems identifiziert und 
praxis- / lósungs-orientiert denkt. Zudem verstehe er die Herausforderungen, vor 
denen die USA gegenwärtig im Cyberspace stehen, ebenso wie die Bedeutung und 
Dringlichkeit von deren Bewältigung. 


Es gebe nur wenige Angehörige in der aktuellen Administration, die über derart breite 
und tiefe Kenntnisse über die verschiedenen Programme, Fähigkeiten und 
Kapazitäten der Regierung im Bereich Cybersecurity verfügen. Die Ernennung wurde 
daher als Signal gewertet, dass DANIEL die zahlreichen Programme innerhalb der 
Regierung konsolidieren und integrieren wird. 


Hobbies: 


Karate, Soziales Engagement („Hands on DC”, Renovierung öffentlicher Schulen) 
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Gespráchsziele: 


e Politische und strategische Gemeinsamkeiten und ggf. graduelle Unterschiede 
in der Cybersecurity Poliktikgestaltung herausarbeiten, 

e Prinzipien für staatliche Überwachung im Kontext „Normen für akzeptables 
staatl. Verhalten“ (einschließlich Konsequenzen aus aktueller 
Berichterstattung zur Abhörpraxis der Nachrichtendienste) erörtern und 

e Neue Wege im Bereich Internet Governance/Capacity Building diskutieren. 


Sachstand: 


e In seiner Rede bei der BKA Herbsttagung (erste Europareise) spricht M 
Daniel die US Leitlinien hinsichtlich Cybersecurity aus (Prioritäten, 
Chancen, Herausforderungen, Art der internat. Zusammenarbeit). Die klar 
strukturierte umfassende Rede eignet sich als Gesprächsgrundlage. 

e Unter der Überschrift „Neue Normalität“ werden drei Herausforderungen 
dargestellt und der Gewöhnungsprozess problematisiert: | 

o Zunehmende Verknüpfung von Sachen mit dem Internet und damit 
einhergehendes Wachstum der Angriffsvektoren. 

o Verfeinerte schwer aufzuklärende Schadsoftware und verbreitete 
Hilfe zur Selbsthilfe beim Programmieren von Schadsoftware 
(Schadsoftware Helpdesks). 

o Gesteigerte Bereitschaft von bösartigen Akteuren zu immer 
destruktiveren Aktivitäten. 

e Interessante Darstellung des Cyber-Raums: nicht als grenzenloser Raum, 
sondern als Raum, in dem jeder an der Grenze lebe; deren Schutz man nicht 
mehr dem Staat allein überantworten kónne, sondern für die eine 
gemeinsame Verantwortung aller bestehe. Die Unterscheidung zwischen 
„Äußeres“ und „Inneres“ als Basis der Verantwortungsteilung im Bereich 
Sicherheit gelte hier nicht mehr. 

e Leitsätze unter den Bedingungen der „Neuen Normalität“ seien: 
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. Risikomanagement mit Notfall-/Ausweichplànen 
2. Schneller Informationstausch (Industrie, Regierung auf allen Ebenen) 
3. „Teamwork“ von Privatsektor, Strafverfolgung, Heimatschutz und 
Zivilgesellschaft | 
4. Netzwerkabsicherung 
9. Datenschutz und Schutz der Bürgerrechte 
e internationale Umsetzung dieser Prinzipien wird wie folgt beschrieben: 

1. Kritis-Schutz beginnt in USA (Presidential Executive Order: nach 9 
Monaten wurde ein erster Entwurf für ein Rahmenwerk mit Standards 
und Praktiken erstelit, das Unternehmen hilft, das Sicherheitsniveau zu 
heben) 

2. Cybersecurity wird als Kernstück der Außenpolitik und Beziehung zu 
anderen Staaten gesehen. USA bezieht Partner ein bei der Erhártung 
,Solidify" von „Norms of Cyber Behavior" mit den Zielen: Erhalt der 
Offenheit, Interoperabilität, Sicherheit, Verlässlichkeit und Stabilität. 
Erstrebenswert ist die routinemäßige/schnelle Antwort auf 
Unterstützungsanfragen bei der Eindämmung von Kriminalität und 
anderen schädlichen Aktivitäten, die vom eigenen Staat ausgehen. USA 
bemüht sich um Zusammenarbeit hinsichtlich der Etablierung von 
diesbezüglichen Mechanismen und und Kapazität. 

3. Im Rahmen Internet Governance wird ein Modell favorisiert, das 

=» handelsfreundlich ist, 
" internationale Sicherheit stärkt und 
=" freien Ausdruck sowie Innovation fördert 
(Multistakeholdermodell). 
4. Im Bereich der Kooperation der Strafverfolgung werden die 
" EU-US WG Cybersecurity, 
* die EU-US „Global Alliance Against Child Sexual Abuse Online" 
und E 
" die verstärkte Akzeptanz der Budapestkonvention (Cybercrime 
Convention des Europarats) hervorgehoben. 
5. Im Bereich Capacity Building wird das Multistakeholdermodell als 
Erfolgsweg beschrieben (Wachstum und Vorteile für Alle). USA hat 


Programme zur Etablierung rechtsstaatlicher Grundsätze im Cyberspace, 


Anleitung zum Entwurf von Cyber Strategien, Aufbau von CERTs u.a.. 
Zusammenarbeit findet statt mit 14 West- und zentralafrikanischen 
Staaten. Es besteht mit Blick auf begrenzte Ressourcen Bereitschaft 
zur Zusammenarbeit bzw. Arbeitsteilung mit anderen Staaten. 
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Gesprächsführungsvorschlag: 


e Lassen Sie mich an Ihre Rede bei der BKA Konferenz anknüpfen (gute Rede, 
die die drängenden Problem adressiert). 

e Die beschriebenen Herausforderungen unter den „neuen normalen“ 
Bedingungen teilen wir (Problem der zunehmenden Verknüpfung von 
Sachen mit dem Internet, sog. „Internet of Things“ und damit einhergehend 
wachsendes Potenzial von Angriffsvektoren, erschwerte Aufklärung von 

.verfeinerter Schadsoftware, zunehmende Bereitschaft der Täter zur 
Begehung von mehr und mehr destruktiven Taten). 

e Übrigens: Die Illustration Cyber-Raums als grenznaher Raum ohne 
„inneres Binnenland“ ist hilfreich um die gemeinsame Verantwortung im 
Cyber-Raum, wo jeder sozusagen an der Grenze lebt, zu verdeutlichen. Damit 
wird klar, dass die traditionelle Verantwortungsteilung von innerer und 
äußerer Sicherheit nicht einfach auf den Cyber-Raum übertragen werden 
kann und wir auf die Verantwortung aller Akteure setzen müssen. DEU 
versucht dies ebenfalls konsequent bei der Umsetzung der nat. 

_Cybersicherheitsstrategie zu berücksichtigen und setzt hierfür z.B.auf eine 
enge Zusammenarbeit mit der Wirtschaft. 

e Wir stimmen überein mit den Leitprinzipien unter den „neuen normalen" 
Bedingungen, d.h. 

o Risiko Management, 
o Notfall- und Ausweichplàne, 
o háufiger und schneller Informationsaustausch, 
o Teamwork auf allen Ebenen national und international, 
o Netzwerkabsicherung hat Priorität. (defense by denial), 
o Datenschutz und Bürgerrechte 
e In der Umsetzung dieser Prinzipien sehen wir weitgehend ähnliche 
. Herausforderungen wie USA: 

o Ja, Kritis Schutz beginnt zunáchst in unseren Làndern und wir sind 
dabei unsere "Hausaufgaben" zu machen: Die US Presidential 
Executive Order wie auch die DEU Diskussion über ein IT- 
Sicherheitsgesetz trágt Früchte (Entwurf eines US framework of 
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cybersecurity nach 9 Monaten, DEU IT Sicherheitsgesetz wird nach 
allem was wir Uber den Stand der Koalitionsverhandlungen wissen, von 
der neuen Regierung wieder aufgegriffen. Im Kern geht es dabei um 
branchenspezifische IT-Sicherheits Mindeststandards und um die 
Verpflichtung zur Meldung erheblicher IT-Sicherheitsvorfälle für 
Betreiber kritischer Infrastrukturen.). 

o Auch in die laufenden Beratungen für eine Netz- und 
Informationssicherheits-Richtlinie auf Ebene der EU (NIS Directive) 
wird sich DEU weiterhin konstruktiv einbringen. DEU begrüßt die 
Bündelung von Maßnahmen zur Verbesserung der Cyber-Sicherheit in 
der Europäischen Union. Die Harmonisierung von Mindestanforderungen 
und Meldeplfichten zur Verbesserung der Cyber-Sicherheit insbesondere 
im Bereich der Kritischen Infratrsukturen ist hierbei ein wichtiger Schritt. 

o Auch in DEU integrieren wir Cybersecurity in die Außenbeziehungen; 
Hinsichtlich der Etablierung von „acceptable norms of state behavior in 
cyberspace“ hatte ich bereits in Gesprächen mit Howard Schmidt das 
Gefühl, dass wir materiell das gleiche wollen und auch prozedural 
gleich vorgehen wollen (Anwendung von völkerrechtlich akzeptierten 
Normen online wie off-line und schrittweises Vorgehen mit pol. 
verbindlichem „Soft Law", aus dem Vólkergewohnheitsrecht erwachsen: 
kann entspr. Menschenrechtskonvention 1948 -als Vorbild). 

" Offen gesagt -mit Blick auf die NSA Diskussion und das 
keinesfalls akzeptable Abhóren von Regierungsmitgliedem 
befreundeter Staaten- scheint es mir notwendig, dass das 
Vertrauen der Bürger in den Staat und seine Institutionen sowie 
das Vertrauen der Staaten untereinander gestárkt und ggf. | 
zurückgewonnen werden muss. Im Rahmen von ,Acceptable 
State Behavior" könnte man deshalb daran denken, auch 
Prinzipien für die staatliche Überwachung zu diskutieren. 

e Legalitat 
e Berechtigtes Ziel 
e Notwendigkeit und Adáquanz 


e Verältnismäßigkeit 
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e Anordnungserfordemis 
e Transparenz 
e Óffentliche/Parlamentarische Kontrolle 
o Ultimatives Ziel muss es sein, ein System zu schaffen, das mehr 
Sicherheit bietet, rechtmäßig ist, das Vertrauen der Bürger genießt 
sowie Freiheit und Individualrechte gewährleistet (SWE AM Carl Bildt 


hob dies bei der Seoul Conference on Cyberspace hervor). 


e Die in Ihrer Rede angesprochen Punkte „Internet Governance“, „Capacity 
Building“ und „Zusammenarbeit bei der Strafverfolgung“würde ich auch 
noch gern mit Ihnen vertiefen. 

© o Internet Governance und Capacity Building können gewissermaßen 

im Zusammenhang gesehen werden: 

= Bei der Gestaltung des Cyber-Raums muss der Schwung der 
Diskussionen genutzt werden; es gibt gute Gründe, den 
Multistakeholder Ansatz weiter zu verfolgen und staatl. Eingreifen in 
Form von Regulierung móglichst zu vermeiden. Es hat sich gezeigt, 
welche Technologien dieser Ansatz hervogebracht hat und welcher 
Nutzen sich für die Menschen daraus ergibt. Leider gibt es ein 
Problem: Das frei entwickelte Internet Governance Modell -Kritiker 
würden sagen, dass es von digital entwickelten Staaten für digital 
entwickelte Staaten geschaffen wurde- hat unübersehbar zu einer 

e digitalen Spaltung der Welt geführt. Deshalb ist es offensichtlich, 

dass Cyber Capacity Building ein Teil der Entwicklungshilfe werden 
muss. 

= Wenn es darum geht, den Cyber-Raum zu schützen, zu stárken und 
fair zu gestalten, ist gewisse staatliche Einflussnahme in 
Verbindung mit intelligenten, angemessen und kreativen Lósungen 
allerdings unvermeidlich bzw. wünschenswert -genauso wie in der 
physikalischen Welt-. Der internationale Dialog hat begonnen. Erste 
Capacity Building Ma&nahmen wurden gestartet. Eine sinnvolle 
Arbeitsteilung der digital entwickelten Staaten -wer macht was wo- 
sollte möglich sein. Das betrifft zum großen Teil die Arbeitsteilung 
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zwischen EU einschl. DEU und den USA. Deshalb schlage ich 
zunächst eine Bestandsaufnahme vor, um zu sehen, 
= welche Arbeit bereits geleistet wird (wie z.B. das US- 
Engagement in West- und Zentralafrika), 
= welche Arbeit sich aus zwischenstaatlichen 
Vereinbarungen ergibt, 
"= welche Arbeiten ökonomisch sinnvoll sind 
" was politisch/militärisch notwendig ist. 
= - Zur Vermeidung einer fundamentalen Kompetenzverlagerung im 
bewáhrten internet Multistakeholder Eco-System sollten wir 
darüber nachdenken, wie wir die von autoritären Staaten getriebenen 
ITU Begehrlichkeiten hinsichtlich Übernahme von Kompetenzen im 
Bereich Cybersecurity eindämmen können. Dies könnte dann 
gelingen, wenn den vielzähligen Entwicklungsstaaten (one country 


one vote in [TU) eine andere geeignete Diskussionsplattform -wohl 


bemerkt- mit angemessenem Stimmgewicht zur Verfügung stünde. 


Vorschlag- einmal frei gedacht: Wir kónnen über ein Modell nach 
dem Vorbild der IAEA (International Atomic Energy Agency) als 
weltweit zentrale zwischenstaatliche Einrichtung für - 
wissenschaftlich/technische Kooperation im Bereich Cyber 


nachdenken -Experten, die der VN Generalversammlung berichten-. 


o Zuammenarbeit bei der Strafverfolgung: 


Die Budapestkonvention ist in der Tat ein wertvolles Instrument im 
Rahmen der Verbrechensbekämpfung. Allerdings haben seit 2001 nur 
etwa 40 Staaten unterschrieben. Wichtige Staaten wie CHN und RUS 
weigern sich insbesondere wegen der Anforderungen aus Art. 32, 
diese zu unterschreiben. .Es spricht vieles dafür, sich Gedanken 


darüber zu machen, wie die Basis verbreitert werden kann. 


532 





MAT A BMI-1-11e_12.pdf, Blatt 535 


533 
Strahl, Claudia | 
EG 
Von: Mantz, Rainer, Dr. 
Gesendet: Montag, 11. November 2013 17:29 
An: ITD_ 
Cc: Treib, Heinz Jürgen; RegIT3 
Betreff: WG: Inhaltliche Vorbereitung für das Gesprách/Abendessen von Frau Stn 


RG mit Herrn Michael Daniel, White House 


Vorab elektronisch, Original ist im Geschäftsgang. 
Mit freundlichen Grüfsen 


Rainer Mantz 


o 3 — 17002/10#7 
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Frau 
Stn Rogall-Grothe 


über 
Herrn IT Direktor 


Herrn SVITD 
Herrn Refl. [T 3 


Votum: 





©.. Gespräch im Rahmen des Abendessens mit Herrn Michaet Daniel an dessen Rede im Rahmen der BKA Konferenz 
anknüpfen. 

Sachverhalt: 

Herr Michael Daniel hat folgende Reiseplanung am Rande der BKA Herbsttagung: 


12. November 
19:30 Abendessen mit Herrn P BKA, Jörg Ziercke, 


13. November 
11:00-11:30 Treffen mit Herrn P BfV, Hans-Georg Maaßen, 
16:30-17:30 Besuch im AA und Gespräch mit Herrn Dirk Brengelmann 


19:00 Abendessen mit Frau Stn Rogall Grothe 
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Das Programm kam auf Vermittlung durch Herr Dr. Vogel (Verbindungsbeamter des BMI im US DHS) zustande. 934 
Das Abendessen findet im Capital Club (Mohrenstraße 30) ab 19:00 Uhr statt. Die Organisation läuft über das 
Protokoll, ein Dolmetscher wurde organisiert. 


Bewertung: 


Von US-Seite wurde Besprechungsbedarf zu einigen Themen mitgeteilt, die in der uns vorab übermittelten Rede des 
Herrn M Daniel für die BKA Konferenz zur angesprochen werden: 


EU Cybersecurity Directive 

Germany's domestic efforts and national strategy on cybersecurity 

The U.S. Executive Order and cybersecurity legislation 

Opportunities for enhancing U.S.-German cooperation on cybersecurity 
Emerging norms of state behavior in cyberspace in peacetime 

U.S. and German engagement with other countries 


Bei dieser Sachlage bietet es sich an, ein Gespräch inhaltlich an die Aussagen in der Rede anzuknüpfen und dabei . 
folgende Ziele zu verfolgen: | 


Politische und strategische Gemeinsamkeiten und ggf. graduelle Unterschiede in der Cybersecurity 
Poliktikgestaltung herausarbeiten, | 

Prinzipien für staatliche Überwachung im Kontext „Normen für akzeptables staatl. Verhalten" (einschließlich 
Konsequenzen aus aktueller Berichterstattung zur Abhórpraxis der Nachrichtendienste) erórtern und 


Neue Wege im Bereich Internet Governance/Capacity Building diskutieren. 


Ein entsprechender Gesprächsvorschlag, die Rede und ein Lebenslauf von Herrn M Daniel sind beigefügt. 


Entsprechend der US Delegationsstärke (soweit hier bekannt 5 Personen) werden auf DEU Seite noch Herr IT D, 
Dres. Mantz und Vogel, Herr Franßen-Sanchez de la Cerda und Herr Treib teilnehmen. 


LA. 


@': 





FINAL - Speech to Vita M 





SZ Cybersecurity 


the BKA Conf... Dantel.docx rev..docx 
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Referat IT 3 Berlin, den 12.11.2013 
IT 3-17002/10#7 Hausruf. 2355 | 


Refl: Dres. Dürig/Mantz 
Sb: OAR Treib 





Frau Staatssekretärin Rogall-Grothe Puts ZA D 
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Betr.: Abendessen mit Herm Michael Daniel am Rande der BKA erbeten m CM 
am 13. November 2013 in Berlin | 
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1. Votum und der Bille gef 
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Das Gesprách im Rahmen des Abendessens rhit Herm Michael Daniel "uM - j^ 
dessen Rede im Rahmen der BKA Konferenz anknüpfen. 


2. Sachverhalt 


M MATRE DOM aachen Lg fe | 
Herbsttagung: | 
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12. November 


19:30: Abendessen mit Herrn P BKA, Jörg Ziercke, 


13. November 


11:00-11:30: Treffen mit Herrn P BfV, Hans-Georg Maaßen, 


16:30-17:30: Besuch im AA und Gespräch mit Herrn Dirk Brengelmann 


19:00: Abendessen mit Frau Stn Rogall Grothe 


Das Programm kam auf Vermittlung durch Herr Dr. Vogel (Verbindungsbeamter 
des BMI im US DHS) zustande. 

Das Abendessen findet im Capital Club (Mohrenstraße 30) al ab 19:00 Uhr statt. 
Die Organisation läuft über das Protokoll, ein Dolmetscher wurde organisiert. 


Stellungnahme 


Von US-Seite wurde Besprechungsbedarf zu einigen Themen mitgeteilt, die in 
der uns vorab übermittelten Rede des Herm M Daniel für die BKA Konferenz 
zur angesprochen werden: 


EU Cybersecurity Directive 

Germany's domestic efforts and national strategy on cybersecurity 

The U.S. Executive Order and cybersecurity legislation 

Opportunities for enhancing U.S.-German cooperation on cybersecurity 
Emerging norms of state behavior in cyberspace in peacetime 

U.S. and German ai alla with other countries 


Bei dieser Sachlage bietet es sich an, ein Genii inhaltlich an die Aussagen 
in der Rede anzuknüpfen und dabei folgende Ziele zu verfolgen: 


Politische und strategische Gemeinsamkeiten und ggf. graduelle 
Unterschiede in der Cybersecurity Poliktikgestaltung herausarbeiten, 
Prinzipien für staatliche Überwachung im Kontext „Normen für akzeptables 
staatl. Verhalten" (einschließlich Konsequenzen aus aktueller 
Berichterstattung zur Abhörpraxis der Nachrichtendienste) erörtern und 
Neue Wege im Bereich Internet Governance/Capacity Building diskutieren. 
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Ein &clsoredhender Gespráchsvorschlag, die Rede undi ein Lebenslauf von 
Herrn M Daniel sind beigefügt. 


Entsprechend der US Delegationsstärke (soweit hier bekannt 5 Personen) 
werden auf DEU Seite noch Herr IT D, Dres. Mantz und Vogel, Herr Franßen- 
Sanchez de la Cerda und Herr Treib teilnehmen. 


LL Ka 


Dr. Mantz IE Treib 


- 


7 
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Bearbeiter: Dr. Dimroth/Treib 
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Gespráchsziele: 

* Politische und strategische Gemeinsamkeiten und ggf. graduelle Unterschiede 
in der.Cybersecurity Poliktikgestaltung herausarbeiten, 

x Prinzipien für staatliche Überwachung im Kontext ,Normen für akzeptables 
staatl. Verhalten“ (einschließlich Konsequenzen aus aktueller 
Berichterstattung zur Abhörpraxis der Nachrichtendienste) erörtern und 

e Neue Wege im Bereich Internet Governance/Capacity Building diskutieren. 


Sachstand: 


e In seiner Rede bei der BKA Herbsttagung (erste Europareise) spricht M 
Daniel die US Leitlinien hinsichtlich Cybersecurity aus (Prioritäten, 
Chancen, Herausforderungen, Art der internat. Zusammenarbeit). Die klar 
strukturierte umfassende Rede eignet sich als Gesprächsgrundlage. 

e Unter der Überschrift „Neue Normalität“ werden drei Herausforderungen 
dargestellt und der Gewöhnungsprozess problematisiert: 

o Zunehmende Verknüpfung von Sachen mit dem Internet und damit 
einhergehendes Wachstum der Angriffsvektoren. 

o Verfeinerte schwer aufzuklärende Schadsoftware und verbreitete 
Hilfe zur Selbsthilfe beim Programmieren von Schadsoftware 
(Schadsoftware Helpdesks). 

o Gesteigerte Bereitschaft von bösartigen Akteuren zu immer 
destruktiveren Aktivitäten. 

e Interessante Darstellung des Cyber-Raums: nicht als grenzenloser Raum, 
sondern als Raum, in dem jeder an der Grenze lebe; deren Schutz man nicht 
mehr dem Staat allein überantworten könne, sondern für die eine 
gemeinsame Verantwortung aller bestehe. Die Unterscheidung zwischen 
„Äußeres“ und „Inneres“ als Basis der Verantwortungsteilung im Bereich 
Sicherheit gelte hier nicht mehr. 

e Leitsätze unter den Bedingungen der „Neuen Normalität“ seien: 


4. 
5. 
e . Internationale Umsetzung dieser Prinzipien wird wie folgt beschrieben: 


1. 
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. Risikomanagement mit Notfall-/Ausweichplänen 
. Schneller Informationstausch (Industrie, Regierung auf allen Ebenen) 


„Teamwork“ von Privatsektor, Strafverfolgung, Heimatschutz und 
Zivilgesellschaft 
' Netzwerkabsicherung 

Datenschutz und Schutz der Bürgerrechte 


Kritis-Schutz beginnt in USA (Presidential Executive Order: nach 9 
Monaten wurde ein erster Entwurf für ein Rahmenwerk mit Standards 
und Praktiken erstellt, das Unternehmen hilft, das Sicherheitsniveau zu 
heben) 


. Cybersecurity wird als Kernstück der AuBenpolitik und Beziehung zu 


anderen Staaten gesehen. USA bezieht Partner ein bei der Erhärtung 


. („solidify“) von „Norms of Cyber Behavior" mit den Zielen: Erhalt der 
‚Offenheit, Interoperabilität, Sicherheit, Verlässlichkeit und Stabilität. 


Erstrebenswert ist die routinemäßige/schnelle Antwort auf 
Unterstützungsanfragen bei der Eindämmung von Kriminalität und 
anderen schädlichen Aktivitäten, die vom eigenen Staat ausgehen. USA 
bemüht sich um Zusammenarbeit hinsichtlich der Etablierung von 
diesbezüglichen Mechanismen und Kapazität. 


. Im Rahmen Internet Governance wird ein Modell favorisiert, das 


* handelsfreundlich ist, 

* internationale Sicherheit stärkt und 

» freien Ausdruck sowie Innovation fördert 
(Multistakeholdermodell). | 


. Im Bereich der Kooperation der Strafverfolgung werden die 


" EU-US WG Cybersecurity, 

* die EU-US „Global Alliance Against Child Sexual Abuse Online" 
und | 

= die verstärkte Akzeptanz der Budapestkonvention (Cybercrime 
Convention des Europarats) hervorgehoben. 


. Im Bereich Capacity Building wird das Multistakeholdermodell als 


Erfolgsweg beschrieben (Wachstum und Vorteile für Alle). USA hat 


Programme zur Etablierung rechtsstaatlicher Grundsätze im Cyberspace, 


_ Anleitung zum Entwurf von Cyber Strategien, Aufbau von CERTs u.a.. 


Zusammenarbeit findet statt mit 14 west- und zentralafrikanischen | 
Staaten. Es besteht mit Blick auf begrenzte Ressourcen Bereitschaft 
zur Zusammenarbeit bzw. Arbeitsteilung mit anderen Staaten. 
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e Lassen Sie mich an Ihre Rede bei der BKA Konferenz anknüpfen (guter 
Überblick, der die drängenden Problem adressiert). 

e Die beschriebenen Herausforderungen unter den „neuen normalen“ 
Bedingungen teilen wir (Problem der zunehmenden Verknüpfung von 
Sachen mit dem Internet, sog. „Internet of Things“ und damit einhergehend 
wachsendes Potenzial von Angriffsvektoren, erschwerte Aufklärung von 
verfeinerter Schadsoftware, zunehmende Bereitschaft der Täter zur 
Begehung von mehr und mehr destruktiven Taten). 

e Ihre illustration des Cyber-Raums als grenznaher Raum ohne „Binnenland“ 
ist interessant: Ich teile Ihre Einschätzung der gemeinsamen Verantwortung 
im Cyber-Raum von Staaten, Wirtschaft und Bürgem A ems bleiben 

_ Regierungen dafür verantwortlich, dass von Ihrem Territnim, 
ausgehen. DEU versucht dies ebenfalls konsequent bei der Umsetzung der 
nat. Cybersicherheitsstrategie zu berücksichtigen, in dem das BSI auf 
Provider zugeht, wenn deren Systeme z.B. für Attacken gegen das US— 
Finanzsystem missbraucht werden. | 

* Wir stimmen überein mit den Leitprinzipien unter den ‚neuen normalen" 
Bedingungen, d.h. 





o Risiko Management, 
Notfall- und Ausweichpläne, 
häufiger und schneller Informationsaustausch, 
Teamwork auf allen Ebenen national und international, 
Netzwerkabsicherung hat Priorität (defense by denial), 
o Datenschutz und Bürgerrechte | 
* In der Umsetzung dieser Prinzipien sehen wir weitgehend ähnliche 
Herausforderungen wie USA: 

o Ja, Kritis Schutz beginnt zunächst in unseren Ländern und wir sind 
dabei unsere “Hausaufgaben” zu machen: Die US Presidential 
Executive Order wie auch die DEU Diskussion über ein IT- 
Sicherheitsgesetz trägt Früchte (Entwurf eines US framework of 
cybersecurity nach 9 Monaten, DEU IT Sicherheitsgesetz wird nach 


00 0 O 
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Abschluss der Koalitionsverhandlungen aller Voraussicht nach von der 


neuen Regierung wieder aufgegriffen. Im Kern geht es dabei um 


branchenspezifische IT-Sicherheits Mindeststandards und um die 
Verpflichtung zur Meldung erheblicher IT-Sicherheitsvorfälle für 
Betreiber kritischer Infrastrukturen.). 

Auch in die laufenden Beratungen für eine Netz- und 
Informationssicherheits-Richtlinie auf Ebene der EU (NIS Directive) 


‚wird sich DEU weiterhin konstruktiv einbringen. Die Harmonisierung von 
: Mindestanforderungen und Meldeplfichten zur Verbesserung der Cyber- : 


Sicherheit insbesondere im Bereich der Kritischen Infratrsukturen ist 
hierbei ein wichtiger Schritt. 

Auch in DEU integrieren wir Cybersecurity in die Außenbeziehungen; 
Hinsichtlich der Etablierung von „acceptable norms of state behavior in 
Cyberspace" hatte ich bereits in Gesprächen mit Howard Schmidt das 


Gefühl, dass wir materiell das gleiche wollen und auch prozedural 


gleich vorgehen wollen (Anwendung von vólkerrechtlich akzeptierten 
Normen online wie off-line und schrittweises Vorgehen mit pol. 
verbindlichem „Soft Law", aus dem Völkergewohnheitsrecht erwachsen 


: kann entspr. Menschenrechtskonvention 1948 -als Vorbild). | 


=» Offen gesagt -mit Blick auf die NSA Diskussion und das 
keinesfalls akzeptable Abhören von Regierungsmitgliedem 
befreundeter Staaten- scheint es mir notwendig, dass das 
Vertrauen der Bürger in den Staat und seine Institutionen sowie 
das Vertrauen der Staaten untereinander gestärkt und ggf. 
zurückgewonnen werden muss. Im Rahmen von „Acceptable 
State Behavior" kónnte màn deshalb daran denken, auch 
- Prinzipien für die staatliche Überwachung zu diskutieren. 

e Legalitát . 

e  Berechtigtes Ziel . 

e Notwendigkeit und Adáquanz 

° Verältnismäßigkeit 

e Anordnungserfordemis 

e Transparenz 
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° Öffentliche/Parlamentarische Kontrolle 
o Ultimatives Ziel muss es sein, ein System zu schaffen, das mehr 
Sicherheit bietet, rechtmäßig ist, das Vertrauen der Bürger genießt 
sowie Freiheit und Individualrechte gewährleistet (SWE AM Carl Bildt 
hob dies bei der Seoul Conference on Cyberspace hervor). 


e Die in Ihrer Rede angesprochen Punkte „Internet Governance“, „Capacity 
Building" und „Zusammenarbeit bei der Strafverfolgung“wiirde ich auch 
noch gern mit Ihnen vertiefen. 

o Internet Governance und Capacity Building können gewissermaßen 

im Zusammenhang gesehen werden: 

* Beider Gestaltung des Cyber-Raums muss der Schwung der 
Diskussionen genutzt werden; es gibt gute Gründe, den 
Multistakeholder Ansatz weiter zu ve olgen und staatl. Eingreifen in 
Form von Regulierung möglichst zu vermeiden. Es hat sich gezeigt, 
welche Technologien dieser Ansatz hervorgebracht hat und welcher 
Nutzen sich für die Menschen daraus ergibt. Leider gibt es ein 
Problem: Das frei entwickelte Internet Governance Modell -Kritiker 
würden sagen, dass es von digital entwickelten Staaten für digital 
entwickelte Staaten geschaffen wurde- hat unübersehbar zu einer 
digitalen Spaltung der Welt geführt. Deshalb ist es offensichtlich, 
dass Cyber Capacity Building ein Teil der „Entwicklungshilfe“ 
werden muss. Und wir müssen eine Lösung für den Wunsch der 
weniger IT-entwickelnten Staaten finden, über Internet Governance- 
Fragen international diskutieren zu wollen. 

o ZurVermeldung einer fundamentalen Kompetenzverlagerung im 
bewährten Internet Multistakeholder Eco-System sollten wir darüber 
nachdenken, wie wir die von autoritáren Staaten getriebenen ITU 
Begehrlichkeiten hinsichtlich Übernahme von Kompetenzen im Bereich 
Cybersecurity eindámmen kónnen. Dies kónnte dann gelingen, wenn den 
vielzáhligen Entwicklungsstaaten (one country one vote in ITU) eine 
andere geeignete Diskussionsplattform -wohl bemerkt- mit 
angemessenem Stimmgewicht zur Verfügung stünde. Zuammenarbeit 
bei der Strafverfolgung: 
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* Die Budapestkonvention ist in der Tat ein wertvolles Instrument im - 
Rahmen der Verbrechensbekämpfung. Allerdings haben seit 2001 nur 
etwa 40 Staaten unterschrieben. Wichtige Staaten wie CHN und RUS 

2 weigern sich insbesondere wegen der Anforderungen aus Art. 32 
diese zu unterschreiben. .Es spricht vieles dafür, sich Gedanken 


. darüber zu machen, wie die Basis verbreitert werden kann. 
o Reaktiv: 
.« Gerade im Hinblick darauf, dass Vertrauen der Bürgerinnen und Bürger 

in den Staat und neue Technologien zurückgewonnen werden muss, | 

erscheint es durchaus erwägenswert, IT-Sicherheitsstandards für die 
Anwendung in Deutschland anzupassen und ggf. zu ergänzen, damit 
ihre Einhaltung nachprüfbar wird. 

* Zudem hat es sich bewährt, Fähigkeiten und Know-How beim 

Bereitstellen von IT-Diensten, aber auch in der Produktion auch auf 
nationaler Ebene beizubehalten und zu fórdem. 
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REMARKS BY SPECIAL ASSISTANT TO THE PRESDENT AND WHITE HOUSE 
a2 2 SANL DE EREDDENI AND WHITE HOUSE 


CYBERSECURITY COORDINATOR MICHAEL DANIEL 


German BKA Conference 
“Cybercrime: Threat, Intervention, Defense” 
November 13, 2013 


OPENING COMMENTS 





Good morning everyone. Thank you for the kind introduction. It’s a pleasure to be here with you 
here in Wiesbaden for the BKA’s annual conference - particularly this one given its focus on 
"Cybercrime: Threat, Intervention, Defense." I'd like to congratulate our German hosts for 
putting on such an excellent event. 


e My name is Michael Daniel, and I currently serve as Special Assistant to the President and 
i Cybersecurity Coordinator at the White House. 


In my role, I lead the United States Government’s development of national cybersecurity strategy 
and policy and oversee the implementation of those policies on behalf of President Obama. 


One of the great parts of this job is to getting to engage and listen to a diverse range of 
representatives from across government, the private sector, and academia. I’ve particularly been 
looking forward to this conference; this is my first trip to Europe in my capacity as the 
Cybersecurity Coordinator. 


Today, I would like to provide an overview of some of the U.S. Government's current thinking 
on cybersecurity, including our priorities, areas of potential challenges and opportunities, and 
how the United States and Germany can work together to improve our collective security in 
cyberspace. 


THE “NEW NORMAL” 





@ But first, I'd like to briefly talk about the challenges we face in cyberspace. As all of you know, 
cyber threats pose a significant problem for governments and businesses alike. From the White 
House perspective, three trends make the cyber threat particularly troubling: 


e First, the threat is becoming broader and more diverse — as we hook more and more items 
up to the Internet, the potential vectors for attack are growing exponentially, making the 
area we need to defend ever bigger. And we are continually connecting new and 
different things to the Internet — think everything from cars to coffee makers to 
distributed sensors - so the problem of defense is even more challenging than “simply” 
protecting desktops connected by wires. 


e Second, the threat is becoming more sophisticated — malware is getting harder and harder 
to detect, and it does more varied kinds of things. At the same time, you no longer have 
to be a coder to use malware. Not only are malicious developers making malware easier 


to use, in some cases, cybercriminals have established on-line help desks, so that if your 


malware doesn't work, you can call and get help. 
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e Third, the threat is becoming more dangerous — malicious actors are showing an 
increasing willingness to be more destructive in their activities, as we have witnessed 
with the attack against Saudi Aramco last year and South Korean banks earlier this year. 


But what is ultimately more concerning is how "normal" these threats are becoming. The new 
normal is not massive power outages or train traffic grinding to a halt nationwide—those kinds 
of things are not “normal.” At least, not yet. Rather, these trends are leading to a “new normal” 
that is less flashy than a Hollywood action movie, but still very troubling: persistent intrusions, 
violations of privacy, thefts of business information, and degradation and denial of service to 
legitimate entities trying to do business or getting their message out on the Internet. 


NO INTERIOR TO CYBERSPACE 





"As we think about how to manage these threats, we have to keep in mind one unique 
characteristic of cyberspace. Traditionally, the argument has been that cyberspace has no 
borders, and that's both a strength (the free flow of information drives huge economic benefits) 
and a problem (it allows malicious actors great freedom of movement). - 


But I would argue that such arguments are not entirely correct. There are borders and boundaries 
everywhere in cyberspace. Every place there is a firewall or a connection point, there is a 
border. Instead, what cyberspace lacks is an interior — there is no “inside” to our network spaces. 
Everyone effectively “lives” at the border. We are all connected through cyberspace, and that 
interconnectedness means that everything and everyone touches an edge or a border in some 

- fashion. 


And this reality has some profound implications for how we organize ourselves a society to 
protect ourselves in cyberspace — and how I try to carry out my cybersecurity role. For example, 
in the physical world, we assign the mission of “border security" to the national government. 

But if everyone lives right at the border in cyberspace, then it's not physically possible to assign 
the "border security" mission to just one group or element of our society, even the national 
government. It becomes a shared mission, one that everyone in a country or society has a role in. 
And it means that conventional ways of thinking about threats need to change as well. For 
example, in many countries, citizens expect national governments to deal with “external” threats, 
while local governments tackle limited “internal” threats, like crime. But we have seen states 
taking malicious action through locally based servers and petty criminals stealing money from 
abroad; we can no longer simply use "external" and "internal" as the basis for allocating 
responsibility for action. 


GUIDING PRINCIPLES 





So how do we improve our collective security in a “new normal" of daily intrusions against 
individuals, businesses, and governments? If you were hoping that I would now supply the 
answers to these questions, I am afraid I am going to have to disappoint you. I don’t have those 
complete answers yet, nor do I think anyone: does. However, I would like to highlight some of 
the principles we are following in the United States as we work to address this challenge. 
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Compromises Are Inevitable; Plan for Them. In living with this “new normal,” we cannot be 
surprised when intrusions and outages occur. Instead, we must be prepared. Businesses and 
governments alike should develop and test their cybersecurity incident response plans; use 
modern network defense best practices and technologies; and continuously monitor their 
networks under the assumption that they have been breached. And everyone should have 
contingency and fallback plans in place with service providers should all else fail. 


Information Must Be Shared, Frequently and Rapidly. Cybersecurity is a shared challenge 
and the international community has a shared responsibility in working together to address it. To 
do so, we all must be willing and able to share information about the respective threats we face. 
This requires collaboration at all levels: between governments; between government and 
industry; and between companies in the private sector. After all, the threats that we face today 
may be the threats you face tomorrow. 


Teamwork is a Requirement. In speeches back home, I often say: "cybersecurity is a team 
sport." What I mean is that no single entity in our country can address this issue alone. Everyone, 
from the private sector to law enforcement to homeland security to civil society, has a role to 
play. This is true in the United States and I believe it is true internationally — if we are only as 
strong as the weakest link in our interconnected networks, we each share responsibility for the 
safety and security of one another. 


Network Defense First. The risk of misattribution, miscalculation, and escalation in cyberspace 
is very real. As a government, we consider all of our cybersecurity and network defense 
activities against their possible foreign policy implications and our desire to establish 
intemational norms of acceptable behavior in cyberspace. We don't want our response to a minor 

‚cyber incident to harm our relationships with other nations or worse, result in physical conflict. 
As a result, we will undertake network defense activities first and work hard to make these 
solutions effective before using other means of dealing with malicious activity. 


Protect Privacy and Civil Liberties. The United States firmly believes cybersecurity and 
privacy are mutually reinforcing, not in competition. Done properly, cybersecurity protects 
privacy and civil liberties by strengthening the networks and systems that contain personal 
information—and we are taking steps to make that vision a reality. We are building protection 
for personal data into our cybersecurity framework for critical infrastructure; ensuring that our 
network defense actions reflect our commitment to protecting the privacy and civil liberties of 
the users of those networks; and engaging privacy advocates and other key stakeholders on 
discussions on how to safeguard privacy and civil liberties while supporting business and 
enhancing security. We also insist on strong privacy protections in any cybersecurity legislation 
that our Congress considers. All of our partners, both in the United States and internationally, 
must have confidence in our ability to protect information you choose to share with us. 


PUTTING THE PRINCIPLES IN PRACTICE INTERNATIONALLY 


We are putting these principles into practice across all of our cybersecurity efforts — both 
domestically and internationally. 


Protecting Critical Infrastructure 
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First, we are working to strengthen the cybersecurity standards and practices in our critical 
infrastructure sector. As a key step in this effort, earlier this year, President Obama signed an 
Executive Order directing several actions aimed at exactly this goal. In particular, the Executive . 
Order strengthens the U.S. Government’s partnership with critical infrastructure owners and 
operators to address cyber threats through information sharing, the protection af privacy and civil 
liberties, and the development of a framework of cybersecurity best practices and standards. 


We believe that governments have a clear role in helping private sector companies help 
themselves, especially when it comes to critical infrastructure owners and operators. To that 
end, the Executive Order requires the U.S. government to increase its efforts to share actionable 
information with those who need it the most — network defenders, companies, and other 
governments. We have already started this and want to do more of it. For example, we have 
shared hundreds of thousands of signatures and indicators of malicious cyber activity with the 
private sector and over a hundred nations just in the past six months. It also incorporates strong 
privacy protections by mandating that Federal agencies follow the Fair Information Practice 
Principles or FIPPs when implementing their cybersecurity actions. 


But we recognized information sharing alone would never be enough; we also needed to raise the 
bar for cybersecurity in the United States. So, the Executive Order also directed the creation of a 
framework of cybersecurity best practices and standards for critical infrastructure. Over the last 
9 months, the U.S. government has collaborated with the private sector to develop this 
framework. Let me be clear: the framework is not a scientific breakthrough in cybersecurity. lt 
is actually more basic, outlining the best practices that many firms already do. What it does do, 
however, is provide a structured way for companies to think about their Cybersecurity risk, 
determine their current level cybersecurity, and then decide what they would like their level to 
be. The framework then points to the standards and practices that, if implemented, will get 
companies to their desired cybersecurity level, | 


We recently completed the preliminary draft of this framework. We think it is an excellent start, 
but we know it can and will be improved upon in the future. As part ofthe process for finalizing 
the preliminary draft, we have asked for companies, industry sectors — in fact, almost anyone — to 
implement the framework and provide us with feedback on what works and what does not. That 

request extends internationally as well - we welcome feedback from any government or any 
multinational company that chooses to provide it. As I said before, the United States does not 
have all the answers — by working with our international partners, we know we can achieve more 
together than we ever could individually. 


Norms Development and Foreign Policy 


Second, we are working to integrate cybersecurity as a core element of our foreign policy 
relationships with other countries. Since cybersecurity is a shared responsibility, it is not 
exclusively a domestic issue. 


In cyberspace, as elsewhere, states have a special responsibility to protect their own national 
security and promote peace and stability with other nations. Consequently, we continue to 
engage our Allies and partners worldwide to solidify norms of cyber behavior — what states and 
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other actors should and should not do in cyberspace — and to ensure the Internet remains open, 
interoperable, secure, reliable, and stable, following the principles outlined in the U.S. 
International Strategy for Cyberspace. In doing so, we are striving to create an environment in 
which everyone can benefit from cyberspace, in which cooperation is encouraged, and in which 
there is little incentive for states to disrupt or attack one another. 


But the truth is that actions speak louder than words. So to promote the norms we ‘want, we must 
take the steps to make them a reality. We need to move to an environment where all countries 
routinely and quickly respond to requests for assistance in mitigating cybercrime and other 
malicious cyber activities emanating from their territory. The United States is committed to 
working with the international community to build the processes and capacity needed to respond 
to malicious activity through such collective action. 


Internet Governance 





Third, the United States remains steadfast in our support for an Internet governance model that 


supports international trade and commerce, strengthens international security and fosters free 
expression and innovation. We strongly believe that proposals advocating international 
regulation to curb the open and free nature of the Internet would slow the pace of innovation and 
economic development and could lead to unprecedented contro! over what people say and do 
online. Such proposals play into the hands of repressive regimes that wish to legitimize 
inappropriate state control of content. Instead, we believe that governments, the private sector, 
and civil society all have an important voice on the future of the Internet. If we truly believe that 
the path to economic growth and prosperity is through an open, connected world, we must 
strengthen—not weaken—the multistakeholder institutions that are critical to the management 
and administration of the Internet itself. 


Law Enforcement Cooperation 


Fourth, we believe that we must increase our ability to disrupt malicious activities in cyberspace. 
In order to achieve this goal, we must deepen our law enforcement cooperation across the 
international community, but particularly with Germany and other European allies. The United 
States and Europe have had several successes in recent years: , 


e We established an EU-US Working Group on cybersecurity and cybercrime to identify 
common goals and actions to achieve those goals; 


e We have had success in getting more countries to ratify the Council of Europe 
Convention on Cybercrime and make it a truly global instrument for combatting 
.. cybercrime; and 


e Last year the United States and the EU launched the Global Alliance Against Child 
Sexual Abuse Online; | : 


All of these are notable achievements. But as technology continues to evolve, our legal responses 
must evolve with it. Issues such as data protection, law enforcement access to data across 
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borders, or information sharing between the public and private sector create new challenges for 
our law enforcement cooperation. We can, and must, ensure that our cooperation meets those 
challenges in order to address the ever-evolving threat from cybercriminals and non-state actors. 


C ai -Buildin 


While I've talked at length about the United States’ cybersecurity efforts, we are mindful that 
many countries are still working to develop the industries, technologies, and connectivity 

. necessary for economic development in the 21° century. To bridge that gap, we are committed to 
connecting more people around the world to the digital future. The United States believes 

that expanded global access to telecommunications and broadband services—combined with an 
inclusive, multistakeholder-driven Internet governance mode!—remains the best path towards 
economic growth that benefits everyone. 


And finally, we are committed to assisting developing nations around the globe build their 
cybersecurity capacity. Across the U.S. government, we have established programs to help 
governments create cybersecurity policies and programs from the ground up. These programs 

. help address any number of needs, such as developing rule of law in cyberspace; drafting 
national cybersecurity strategies; and creating computer emergency response teams. As just one 
example, the U.S. State Department has spent significant time and effort working with Senegal 
and Ghana to build long-term cybersecurity partnerships between the United States and fourteen 
states in West and Central Africa. 


We are only one country, however, and we do not have unlimited resources. Therefore, we are 
eager and willing to work with other nations on awareness-raising, legal and technical training, 
and other initiatives that will bolster our collective pursuit of an open, interoperable, secure, and 
reliable cyberspace. 





U.S.-EUROPEAN CYBER COOPERATION 


I would be remiss in giving this speech if I did not emphasize how much the United States values 
our cybersecurity partnership with Europe — and particularly with Germany. You have been, and 
will continue to be, a key ally in building a more safe and secure cyberspace: 


e As I mentioned.above, on'cybercrime, our law enforcement agencies have a long- 
standing and deep cooperative relationship and continue to work together on 
investigations and prosecutions. | t 


e On incident response, our computer emergency response teams work together regularly to 
share threat information and address malicious cyber activity. In particular, we were 
deeply grateful for the timely and immediate assistance the German government provided 
earlier this year when we asked for help with ongoing denial of service attacks against 
our banks and financial sector. 
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e On foreign policy, our diplomats continue to be the staunchest of allies for our “like- 
minded” views on the applicability of international law to cyberspace and norms of 
behavior for states in cyberspace. 


We are committed to this partnership. While the United States and Germany at times differ in 
our opinion of the best way to build a more safe and secure cyberspace, we do agree on the 
importance of this mission. We cannot and must not lose sight of the fact that our cooperation 
and continued dialogue serves to strengthen and secure cyberspace for both our citizens. 


CONCLUSION 
I'd like to conclude with a few final thoughts: 


e First, while we must continue to be mindful of the threats we face, we must all improve 
our collective cybersecurity capability through collaboration and partnership. 


e Second, solving our cybersecurity challenges will not be easy and will require persistence 
from all of us. But as President Obama said in his State of the Union address earlier this 
year: “We cannot look back years from now and wonder why we did nothing in the face 
of real threats to our security and our economy.” 


e Finally, the Information Age has only just begun. While the issues we face are complex 
and challenging, we have an opportunity now to put the foundation in place for a safer 
and more secure future. I, for one, look forward to that challenge. 


Again, I'd like to thank our hosts of this conference for putting on such a wonderful event. I 
appreciate the opportunity to speak to all of you and look forward to our continued work to meet 
these challenges. Thank you. | 
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Von: Feyerbacher, Beatrice [beatrice.feyerbacher@bsi.bund. de] 
Gesendet: Mittwoch, 13. November 2013 17:15 
An: StRogall-Grothe_; Schallbruch, Martin 
Cc: Franßen-Sanchez de la Cerda, Boris; BSI Hange, Michael; BS! Könen, Andreas 
. Betreff: Kurzprotokoll Gesprách Hange/Daniel 
Anlagen: 131112 Gesprách mit Michael Daniel Kurzprotokoll.pdf, VPS Parser Messages.txt 


- Lieber Herr Schallbruch, 
liebe Kolleginnen, 


wie mit Herrn Hange heute besprochen, sende ich Ihnen anbei unser 
Kurzprotokoll zum gestrigen Gespräch mit Herrn Daniel. 


Viele Grüße nach Berlin 
Beatrice Feyerbacher 
Bundesamt für Sicherheit in der Informationstechnik (BSI) 
Leitungsstab 
Quen Allee 185 -189 
53175 Bonn 


Postfach 20 03 63 
53133 Bonn 


Telefon: +49 (0)228 99 9582-5195 
Telefax: +49 (8)228 9910 9582-5195 
E-Mail: beatrice.feyerbachergbsi.bund.de 
Internet: 

www.bsi.bund.de 


www.bsi-fuer-buerger.de 
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VS - NUR FÜR DEN DIENSTGEBRAUCH 


Gespräch mit Michael Denies (Special Assistant to the President, Cyber Security Coordinator) 12.11.2013 
Kurzprotokoll 


re - cc 
Herr Hange stellte zu Beginn des Gesprächs das BSI vor und verwies auf die 
Zusammenarbeit zwischen BSI und US-Behörden. Er betonte die aktuelle politische und 
gesellschaftliche Diskussion in Deutschland, die u.a. auch die Zusammenarbeit zwischen 
BSI und NSA (Stichwort Süddeutsche: BSI ist Schlüsselpartner der NSA) in Frage gestellt 
hat. Die Vertrauenskrise in diesem Zusammenhang habe nicht nur die Politik und Medien, 
sondern auch die deutsche Industrie in der Breite erreicht. Es gäbe auch viele Anfragen, 
inwieweit man Produkten von US-Herstellern trauen könnte. Diese Diskussion müsse 
berücksichtigt werden, die Zusammenarbeit von BSI und US-Behörden sollte nach 
Möglichkeit (SECAN, CCRA) zu keiner weiteren öffentlichen Diskussion führen. Im 
Rahmen des CCRA müsste ein angemessenes Level mit Evaluierung gehalten werden. 
Ein internationales CCRA-Abkommen sei zwar erforderlich. US-Unternehmen müssten 
aber zu mehr Transparenz bereit sein, auch um beispielsweise ein BSI-Zertifikat zu 
erhalten und Zweifel dt. Unternehmen an US-Produkten zu nehmen. 
Herr Daniel verwies darauf, dass bereits Gespräche mit der US-Industrie stattfinden 
würden, um Offenheit und Transparenz zu erhalten (to maintain). Derzeit werde auch 
darüber diskutiert, zusätzliche Transparenz herzustellen. Herr Painter betonte, dass es 
nicht zu viele Systeme/Schemata geben dürfe, da dies ggf. genutzt würde, um die 
„like-minded" Staaten auseinander zu bringen. Die Kooperation auf politischer und 
technologischer Ebene sollte fortgeführt werden. l 
Herr Hange betonte erneut, dass ein internationales Abkommen dringend erforderlich und 
von deutscher Seite auch erwünscht sei, dies jedoch eines angemessenen Levels 
bedürfe, insbesondere mit der Option auch Seweenstellenanalysen von Produkten 
durchführen zu können. 


Kryptographie 

Herr Hange betonte in dem Gespräch die Bedeutung von Kryptographie und dass diese 
vor dem Hintergrund der aktuellen Diskussion weiter gestärkt werden müsse, da 
Kryptographie einen starken Sicherheitsanker darstelle. 

Herr Daniel stimmte der Bedeutung von Kryptographie als starkes Instrument der 
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Gespräch mit Michael Daniel (Special Assistant to the President, Cyber Security Coordinator) 12.11.2013 
_ Kurzprotokoll i 


Absicherung zu. Dies werde künftig von noch größerer Bedeutung sein. Herr Painter wies 
jedoch darauf hin, dass Kryptographie in den „falschen Händen“ äußerst problematisch sei 
und zudem die Belange der Strafverfolgung nicht vergessen werden dürften. 

Herr Hange stimmte dem zu, wies aber darauf hin, dass beim Thema Kryptographie die 
Balance zwischen den Vorteilen öffentlicher und privater Sicherheit vor dem Hintergrund 
der aktuellen Lage abzuwägen seien. 


R isammenarbeit, Internt Service Provider, Standards/KR atenschutz 
. Die amerikanische Seite lobte die Unterstützung des BSI im Rahmen der Angriffe auf die 
US-Banken („the most helpful partner"). Herr Hange erläuterte, dass der Vorfall auch für 





das BSI und ihn persönlich lehrreich gewesen sei, da hier die Möglichkeiten der 
Zusammenarbeit mit den Internet Service Providern (ISP) offensichtlich wurden. Der 
Kontakt zu den ISP sei in D insofern auch wichtig, da D auch als Relay Station für Angriffe 
genutzt werde. Herr Painter betonte, dass die Kooperation mit den ISP in D wesentlich 
fortschrittlicher sei als in den USA. Beispielsweise das Sandbox-System sei erst seit 
Kurzem in den USA in der Diskussion. 


Herr Hange ergánzte, dass, er künftig mehr Verantwortung bei den Providern sehe. Herr 
. Daniel unterstrich, dass diese Tendenz auch in den USA bestehe („away from the 
expectation that we are our own IT mechanics"). 


Herr Hange unterstrich, dass mit steigender Durchdringung und Komplexität 
IT-Sicherheitsstandards eine stärkere Rolle in der internationalen Zusammenarbeit spielen 
sollten und diese rechtzeitig insbesondere im Kontext für Netzwerke entwickelt und 
implementiert werden müssen. Beispielhaft sei hier die Entwicklung des Energienetzes. 
Herr Daniel stimmte zu, dass Sicherheit direkt und nicht erst im Nachhinein mitgedacht 
und eingebaut werden müsse. Dies gelte insbesondere für kritische Infrastrukturen. Das 
Weiße Haus treibe die im letzten Jahr erlassene Executive Order (EO) voran. Der 
Framework zur entsprechenden Executive Order des Präsidenten soll im Februar 
veröffentlicht werden. Der Framework wird nicht abgeschlossen sein, sondern soll dann 
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Gespräch mit Michael Daniel (Special Assistant to the President, Cyber Security Coordinator) 12.11.2013 
Kurzprotokoll 


weiter diskutiert werden. 


‘Herr Daniel wies darauf hin, dass vor dem Hintergrund der aktuellen Diskussion das 
Thema Datenschutz in den USA mehr in den Vordergrund trete. In der 0.9. EO sei dies 
beispielsweise bereits sichtbar. Jedoch laufen hier mit der US-Industrie derzeit noch 
Gespräche über die „richtige“ Balance zwischen Datenschutz und anderen Interessen. 


Zusammenarbeit 

Die US-Seite betonte, dass weiterhin eine enge Zusammenarbeit mit dem BSI gewünscht 
sei. Darüber hinaus wurde auf die gemeinsamen ressortübergreifenden Konsultationen 
verwiesen, an denen auch das BSI teilnimmt. Herr Painter bot an, dass die jährlichen 
Konsultationen nicht erst wieder im Sommer 2014 (vergangenes Treffen fand im Juni 2013 
statt), sondern bereits früher stattfinden könnten: 

Das BSI kündigte an, als Konsequenz der aktuellen Diskussion, Interessen an 
Forderungen der IT-Sicherheit an die US-Seite (interne Anmerkung: in Abstimmung mit 

~ dem BMI) heranzutragen. 


Seite 3 von 3 





MAT A BMI-1-11e_12.pdf, Blatt 557 


Referat IT 3 Berlin, den 18.11.2013 
IT 3-17002/1047 Hausruf: 2355 


RefL: Dres. Dürig/Mantz 
Sb: OAR Treib 







Bundes m ) ces Innern | 


E E Em. 13. Sov. 203 
Frau Staatssekretärin Rogall Grothe K [ 4 


ero [GI A ETRA 


^91. 


E ETE Fe 


555 


die ws Xe odin wot 
Betr.: Abendessen mit Herm Michael Daniel am Rande der BKA Herbsttagung Lom 


am 13. November 2013 in Berlin 


Faldin dic tse i - 


1. Votum 


Im bilateralen Verhältnis mit USA den Austausch hinsichtlich „US Framework" 
bzw. Executive Order 13636 (.Improving Critical Infrastructure Cybersecurity") 


und DEU IT-Sicherheitsgesetzgebung aktiv aufrechterhalten, für eine 
verbesserte Zusammenarbeit zwischen Cyber AZ und US National 
Cybersecurity & Communications Integration Center (NCCIC) eintreten und 
spezifische Vorschläge zur Entwicklung von ,Norms of State Behavior" 
einbringen. 
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2. Sachverhalt 
Im Gesprách mit Herrn Daniel, der u.a. vom Cyberkoordinator im State 
Department, Herrn Christopher Painter begleitet wurde, wurden folgende 
Punkte erórtert: | | 
e NSA-Affáre und Vertrauensverlust. 
e Charakteristik des Cyber-Raums u. Zusammenarbeit mit der Wirtschaft 
e Regulierungsansátze im Bereich IT-Sicherheit 
e Kommunikationssektor als kritische Infrastruktur 
e Norms of State Behavior in Cyberspace 
e Bilaterale Konsultationen von DEU und USA mit CHN 


e 3. Stellungnahme 
Beide Seiten stimmen in folgenden Punkten überein: 
e es ist erforderlich, weiterhin zusammenzuarbeiten, 
e gegenseitiges Vertrauen ist hierbei eine wesentliche Voraussetzung, 
e Vertrauen kann durch konkrete vorzeigbare Projekte entstehen bzw. 
wiedergewonnen und sichtbar gemacht werden, z.B. 
o gemeinsame Übungen, 


o gemeinsames Projekt zur Ausschaltung eines Botnetzes — wie 
beim Angriff auf das US-Bankensystem bereits geschehen. 


Sichtweisen und Situation in den USA im Einzelnen: 


NSA-Affäre: USA erkennt Nachteile infolge der NSA-Affäre insbesondere im 
wirtschaftlichen Umfeld insoweit, dass DEU und andere europ. Staaten in 
Überlegungen eintreten, zukünftig technologisch/kommunikationstechnisch 
verstärkt auf lokale und damit vertrauenswürdigere Lösungen zu setzen — 
einschließlich Routing. US-Seite spricht sich für verstärkte 
Transparenzmaßnahmen aus. 


Cyber-Raum u. Zusammenarbeit mit der Wirtschaft: USA versucht für die 
gemeinsam zu bewältigenden Herausforderungen eine Balance zwischen 
Handeln des Staates und der Wirtschaft zu finden, z.B. durch Errichtung von 
zentralen Informationsstellen („hubs“) und Zusammenarbeit bei der 
Identifizierung und Analyse von kriminellen Handlungen (Stichwort: „forensic 
training"). Ziel ist es, die Wiederholung krimineller Handlungen wirksam zu 
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verhindern, sobald deren Muster einmal erkannt ist. Der Finanzsektor ist dabei 
in USA gegenüber anderen Sektoren weit voraus. Schneller 


‚Informationsaustausch wird insb. auch für die Bereiche Strom, Öl, Gas 


angestrebt. 


Regulierungsansätze im Bereich IT-Sicherheit: In den USA ist keine 
ganzheitliche IT-Sicherheitsgesetzgebung geplant, vielmehr sind kleinere 
Gesetzesänderungen im Rahmen bestehender Gesetze denkbar. USA setzt im 
KRITIS Bereich auf Freiwilligkeit, um auf der Grundlage eines „Frameworks“ mit 

„Best Practices“ zur Übernahme von entsprechenden Maßnahmen durch die 
KRITIS Betreiber zu kommen. Kleinere Unternehmen sollen dabei von größeren 
bzw. besser aufgestellten Unternehmen lernen, „Assessments und Audits" 
sowie „security insurances“ sind dabei als Anreize gedacht. Bei Berichts- - 
pflichten der Wirtschaft zu Cyberattacken gilt der Grundsatz ,erst Kunden- 
information, dann Information an die Regierung". Notfall- und Ausweichpläne 
sowie Tests der „back-up capability" werden als wichtig erachtet. 


Kommunikationssektor als kritische Infrastruktur: Mit Blick auf den 


. Kommunikationssektor ist festzuhalten, dass die zuständige Federal Trade 


Commission (FTC) zwar nach wie vor strikte staatliche Regelungen im Bereich 
der Sprachtelefonie befürwortet, sich beim Internet aber nicht dazu 
entschlie&en kann, Internet Service Provider zu reglementieren (Stichwort ,net 
neutrality“). 


„Norms of State Behavior“: USA sieht eine gute Grundlage dadurch 
geschaffen, dass man sich in der. VN Cyber GGE darauf geeinigt hat, 
existierende völkerrechtliche Grundsätze auf den Cyber-Raum anzuwenden. In 
einem zweiten Schritt sei nunmehr darüber zu reden, wie diese Grundsätze 


` anzuwenden sind. Der schwierige Bereich Kriegsrecht („Law in Conflict") hat für 


USA keine Priorität; Peacetime Law" sowie Attacken auf kritische 
Infrastrukturen sollten zuerst diskutiert werden. 


Bilaterale Konsultationen von DEU und USA mit CHN: USA móchte von den 
„like minded" Staaten, insb. DEU, Unterstützung im Dialog mit CHN erhalten; 
wichtige Themen hierbei seien Transparenz und Vertrauenswürdigkeit. 





